research report 029 › research › rrpdf › rr029.pdf · research report 029. hse health &...

HSE Health & Safety

Executive

Proposal for requirements for lowcomplexity safety related systems

Prepared by RM Consultants Limited for the Health and Safety Executive 2002

RESEARCH REPORT 029

HSE Health & Safety

Executive

Proposal for requirements for lowcomplexity safety related systems

RM Consultants Limited Genesis Centre

Birchwood Science Park Risley

Warrington Cheshire WA3 7BH

United Kingdom

A framework is proposed for the application of IEC61508 to “low complexity” systems such as simple relay based interlock arrangements commonly found in machinery safeguarding applications.

A scheme for architectural constraints is proposed which limits the Safety Integrity Levels (SILs) which can be claimed for low complexity systems of various degrees of hardware fault tolerance. The scheme is consistent with the principles of IEC 61508 while simplifying the requirements.

Comparisons of the numerically and qualitatively assessed SILs on the basis of annual proof testing, annual functional testing only, and taking into account CCF are included for 18 example circuits. The proposed scheme has been shown to be consistent with the achievement of the target failure rate and PFD of the relevant SIL for “low complexity” systems.

In order to simplify the process of reliability analysis to satisfy the requirements for hardware reliability, conservative values based on generic reliability data are proposed for particular components.

Requirements for action on failure detection and for the avoidance of systematic failures are also proposed based on IEC 61508 but tailored for low complexity systems.

The examples in this report are taken from the machinery sector but the principles described will also be applicable in other sectors.

This report and the work it describes were funded by the Health and Safety Executive (HSE). Its contents, including any opinions and/or conclusions expressed, are those of the author alone and do not necessarily reflect HSE policy.

HSE BOOKS

ii

© Crown copyright 2002

First published 2002

ISBN 0 7176 2576 1

All rights reserved. No part of this publication may bereproduced, stored in a retrieval system, or transmitted in anyform or by any means (electronic, mechanical, photocopying,recording or otherwise) without the prior written permission ofthe copyright owner.

Applications for reproduction should be made in writing to: Licensing Division, Her Majesty's Stationery Office, St Clements House, 2-16 Colegate, Norwich NR3 1BQ or bye-mail to [email protected]

l

Glossary of Symbols, Acronyms and Abbreviations

CCF E/E/PE EMI FMEA IEC I/P MTTF MTTR O/P PFD SFF SIL SPST

Common Cause Failure Electrical/Electronic/Programmable Electronic Electromagnetic Interference Failure Modes and Effects Analysis International Electrotechnical Commission Input Mean Time to Failure Mean Time to Repair Output Probability of Failure on Demand Safe Failure Fraction Safety Integrity Level (as defined in IEC 61508) Single Pole Single Throw (switch)

Symbols used in calculations

PFDS Probability of Failure on Demand of the Sensor element of a channel of protection PFDLS Probability of Failure on Demand of the Logic Solver element of a channel of

protection PFDFE Probability of Failure on Demand of the Final Element of a channel of protection PFDSC Probability of Failure on Demand of a Single Channel of protection PFD1oo2 Probability of Failure on Demand of a 1 out of 2 redundancy protection system PFD1oo3 Probability of Failure on Demand of a 1 out of 3 redundancy protection system T Interval between proof tests b Common Cause Failure Beta Factor

Failure rate ldu Rate of dangerous, undetected failures

iii

FOREWORD

HSE recently commissioned research into how “low complexity” systems based upon electromechanical devices may be designed in a way that complies with the IEC 61508 standard. The “low complexity” systems considered are used in interlocking schemes similar to those comm onl y f ound in machi ner y saf eguar ding applicati ons.

This report resulted from this work and it presents a methodology for the design, integration and validation of low complexity electrical/electronic/ programmable electronic safety-related systems.

Whilst the report is the opinion of the author and does not necessarily reflect HSE policy, HSE offers this work as an illustration of a principled approach for the design, integration and validation of low complexity E/E/PE safety-related systems in terms of:

- Probability of dangerous random hardware failures; - Measures to prevent (or control) systematic failures; and - Architectural constraints on hardware integrity.

The methodology presented is supported by a series of model systems where the safety integrity level (SIL) and other requirements (e.g. proof test interval, safe failure fraction, etc.) have been pre-determined by applying the methodology to typical machinery guard interlocking schemes.

HSE invites comments on the practicality and effectiveness of the recommended approach to achieving the above goals, and on any other significant aspect of the safety integrity of low complexity safety-related systems that is not addressed by this work.

Please send your comments by 30 April 2003 to

Eur Ing S FrostTechnology DivisionElectrical and Control Systems UnitMagdalen HouseStanley PrecinctBootleMerseysideL20 3QZ

v

CONTENTS Page No.

1.0 INTRODUCTION 1

2.0 PROPOSED FRAMEWORK FOR ARCHITECTURAL CONSTRAINTS 2 2.1. Data Requirements 7

2.2. Fault Exclusions 8

3.0 VALIDATION OF PROPOSED ARCHITECTURAL CONSTRAINTS 10 3.1. Validation Using Generic Data 10

3.2. Application to Actual Architectures 13

4.0 PROPOSED REQUIREMENTS FOR HARDWARE RELIABILITY 14 4.1. Generic Failure Rates 14

5.0 PROPOSED REQUIREMENTS FOR ACTION ON FAILURE DETECTION 15

6.0 PROPOSED REQUIREMENTS FOR DEFENCES AGAINST SYSTEMATICFAILURE 15

7.0 REQUIREMENTS FOR PROVEN-IN-USE 19

8.0 REFERENCES 20

APPENDIX A: DERIVATION OF COMPONENT FAILURE RATES A1

APPENDIX B: PFD OF A REDUNDANT SYSTEM SUBJECT TO ONLY FUNCTIONAL TESTING B1

APPENDIX C: CALCULATION OF FAILURE MEASURES AND COMPARISON WITH ARCHITECTURAL CONSTRAINTS FOR MACHINERY GUARDING CIRCUITS C1

APPENDIX D: FAILURE MODES OF ELECTRICAL / ELECTRONIC COMPONENTS FOR LOW COMPLEXITY E/E/PES AND CONSERVATIVE VALUES OF FAILURE RATE D1

vii

1.0 INTRODUCTION

IEC 61508 [Reference 1] defines requirements for systems to achieve various Safety

Integrity Levels (SILs). SILs are defined in terms of Frequency of Dangerous Failure (for

continuously operating control systems or protection systems subjected to a high demand

rate) or Probability of Failure on Demand (PFD) (e.g for protection systems subjected to a

low demand rate).

The numerical definitions of the SILs are as follows:

SAFETY

INTEGRITY

LEVEL

DEMAND MODE OF

OPERATION

(Probability of failure to perform

its design function on demand)

CONTINUOUS / HIGH DEMAND

MODE OF OPERATION

(Probability of a dangerous failure

per year)

4 ³10-5 to <10-4 ³10-5 to <10-4

3 ³10-4 to <10-3 ³10-4 to <10-3

2 ³10-3 to <10-2 ³10-3 to <10-2

1 ³10-2 to <10-1 ³10-2 to <10-1

TABLE 1: DEFINITION OF SAFETY INTEGRITY LEVELS (SILS)

Reference 1 gives guidance on the achievement of the above SILs based on:

· Requirements for hardware safety integrity comprising:

o The architectural constraints on hardware safety integrity and

o The requirements for the probability of dangerous random hardware failures

· Requirements for systematic safety integrity comprising:

o The requirements for the avoidance of failures and the requirements for the

control of systematic faults or

o Evidence that the equipment is proven in use.

· The requirements for system behaviour on detection of a fault.

1

The architectural constraints impose limits on the SILs which can be claimed for particular

architectures. These limits may result in lower SILs than are indicated by hardware

reliability calculations. The limits are intended to allow for:

· Uncertainties in the data.

· Systematic failures.

The detailed requirements under each of the above general categories are applicable to all

Electrical/Electronic/Programmable Electronic (E/E/PE) safety related systems and are

therefore sufficiently detailed and comprehensive to cover complex programmable systems.

The guidance could therefore be considered overly complex and overly restrictive for

simple, generally non-programmable “low complexity” systems which are defined in

IEC61508 as follows:

“E/E/PE safety-related systems in which:

· the failure modes of each individual component are well defined; and

· the behaviour of the system under fault conditions can be completely

determined.”

These requirements will often be satisfied by systems based on relay logic as are commonly

used in machinery safeguarding applications.

This report proposes a simplified scheme for the application of the IEC 61508 requirements

to low complexity systems.

2.0 PROPOSED FRAMEWORK FOR ARCHITECTURAL CONSTRAINTS

Consider a typical low complexity safeguarding system:

I/

I/

Output Device

P Device 1

P Device 2

Logic

Figure 1. Schematic Block Diagram of Simple Safeguarding System

2

In IEC 61508, each of the above blocks is considered to be a subsystem and the system SIL

requirement is met by utilising subsystems of an adequate (equivalent or higher) SIL. The

subsystems must meet the Reliability, Architectural Constraints, Systematic Failure and

Behaviour on Fault Detection requirements for that SIL.

The architectural constraints on the SIL which can be claimed for subsystems performing a

safety function are specified by Tables 2 and 3 in Part 2 of IEC 61508 which are reproduced

below:

Safe failure

fraction

Hardware fault tolerance (see Note 2)

0 1 2

< 60 % SIL1 SIL2 SIL3

60 % - < 90 % SIL2 SIL3 SIL4

90 % - < 99 % SIL3 SIL4 SIL4

> 99 % SIL3 SIL4 SIL4

NOTE 1 See IEC61508-2 7.4.3.1.1 to 7.4.3.1.4 for details on interpreting this table. NOTE 2 A hardware fault tolerance of N means that N+1 faults could cause a loss of the

safety function. NOTE 3 See IEC61508-2 annex C for details of how to calculate safe failure fraction.

TABLE 2: IEC 61508 ARCHITECTURAL CONSTRAINTS FOR TYPE A SAFETY

RELATED SUBSYSTEMS

Safe failure

fraction

Hardware fault tolerance (see Note 2)

0 1 2

< 60 % Not allowed SIL1 SIL2

60 % - < 90 % SIL1 SIL2 SIL3

90 % - < 99 % SIL2 SIL3 SIL4

> 99 % SIL3 SIL4 SIL4

NOTE 1 See IEC61508-2 7.4.3.1.1 to 7.4.3.1.4 for details on interpreting this table. NOTE 2 A hardware fault tolerance of N means that N+1 faults could cause a loss of the

safety function. NOTE 3 See IEC61508-2 annex C for details of how to calculate safe failure fraction.

TABLE 3: IEC 61508 ARCHITECTURAL CONSTRAINTS FOR TYPE B SAFETY

RELATED SUBSYSTEMS

The requirements for subsystems of Type A are, in accordance with IEC 61508:

3

“A subsystem … can be regarded as type A if, for the components required to achieve the

safety function

a) the failure modes of all constituent components are well defined; and

b) the behaviour of the subsystem under fault conditions can be completely determined;

and

c) there is sufficient dependable failure data from field experience to show that the

claimed rates of failure for detected and undetected dangerous failures are met.”

Requirements (a) and (b) are identical to those defined for low complexity systems above.

Therefore, if Requirement (c) for reliable failure data can be satisfied, the subsystems may

be considered to be Type A. The rates of failure for detected and undetected dangerous

failures can be ascertained in one of two ways:

(a) By the availability of detailed data of adequate quality which differentiates between

different (safe or unsafe) failure modes or;

(b) By carrying out a Failure Modes and Effects Analysis (FMEA).

The meaning of “detailed data of adequate quality” is discussed further in Section 2.1.

It is not an onerous procedure to carry out an FMEA on a low complexity system and it is

proposed in this report that a properly conducted FMEA should be considered as one means

of meeting Requirement (c) for dependable data.

In some cases, components and subsystems may have no reasonably foreseeable dangerous

failure modes. For example, it may not be credible that the contacts of an ultimate series

limit switch on a crane could stick closed to the extent that the contacts would not open

under the force of the crane. In such cases, the failure mode may be excluded from

consideration. Further examples of failure mode exclusions are discussed in Section 2.2.

If Requirement (c) cannot be satisfied by the availability of failure mode data, FMEA, or on

the basis of engineering judgement as above, then strictly speaking, Table 3 for Type B

4

components should be used. However, it is proposed that, for low complexity systems,

Table 2 for Type A components may be used provided:

i. Conservative data is used in the Hardware Reliability calculation and;

ii. A SFF of < 60% is assumed when applying Table 2.

In addition, it is advisable to carry out an analysis to determine the sensitivity of the

assessed SIL to the reliability data used.

In order to facilitate the estimation of SFF for low complexity systems by FMEA where

dependable data are not available or to help satisfy (i) above, some conservatively derived

component failure rate and failure mode data is presented in Appendix D of this report.

The above procedure for hardware reliability analysis and the application of architectural

constraints is summarised in the flowchart, Figure 2.

5

Start

No

Yes

Yes

No

Dependable failure mode failure rate data available?*

Use conservative generic data from Appendix D or elsewhere

FMEA carried out?

Carry out hardware reliability analysis

Apply architectural constraints from Table 2

using known SFF

Apply architectural constraints from Table 2

assuming SFF < 60%

End

* i.e. Failure rate data which distinguishes between safe and unsafe modes of failure.

Figure 2. Process for Hardware Reliability Analysis and Application of Architectural

Constraints for Low Complexity Systems

6

2.1. Data Requirements

(Note. This section refers to subsystem data for consistency with IEC 61508. It is recognised, however, that in

low complexity systems, a subsystem may be a single component, e.g. a limit switch, a relay or a contactor.)

One of the factors to be taken into account in the framework for architectural constraints

proposed above is the availability or otherwise of dependable data for the failure rate or

failure probability of the subsystems under consideration. This section discusses the

requirements for data to be considered “dependable”.

IEC 61508 sets requirements for evidence if a subsystem is to be considered “proven in

use”. The requirements for dependable data are considered to be similar, as far as they

apply to low complexity systems and excluding those which relate to systematic failure

avoidance, and these are summarised below:

1. There must be confidence that all failures of the population have been identified and

recorded. This is particularly important for undetected or covert failure modes of

protective systems which only operate if a demand is placed upon them or by a

properly planned and executed proof test. In this case, the results of proof testing

must be recorded.

2. The data should come from a source which puts no less stress on the subsystem than

the target application with respect to:

a. Frequency of operation

b. Environmental conditions

c. Electrical and mechanical stress etc.

3. The data collection must differentiate between different failure modes to the extent

required to derive the Safe Failure Fraction.

4. There must be sufficient operating time to support the claimed failure rate to an

adequate degree of confidence. As a minimum, sufficient operating time is required

to establish the claimed failure rate to a single sided lower confidence limit of at

least 70%. An operational time of any individual subsystem of less than one year

7

shall not be considered as part of the total operational time in the statistical analysis.

(A discussion on confidence limits is given in Reference 4.)

The above requirements for data to be considered dependable are difficult to meet in

practice and are unlikely to be satisfied directly by generic data sources (e.g. MIL-HDBK-

217, Reference 5) or manufacturers’ data which often do not quote failure modes. Such data

on individual components, applied with care and conservatively, is however acceptable for

use in reliability analysis by FMEA.

For low complexity systems, it is not always necessary that the actual application from

which the data is derived be similar in all respects to the target application. For example, if

the item considered is a relay, the actual logic operations being carried out are of no account

but the physical environment and mode and frequency of operation are important (e.g.

whether the relay is normally energised, contacts required to open or close on demand,

frequency of cycling etc.). However, in many cases, for example the “wet end” components

of an instrumentation system in the process industry, the environment is likely to be very

different from that from which generic data is derived. In such cases, data from a similar

application or generic data modified by suitable environment factors is required.

2.2. Fault Exclusions

It may be acceptable to argue on the basis of engineering judgement that certain failure

modes of a subsystem or component are not credible. If the failure modes in question are

the only unsafe failure modes of the device, then they may be excluded from consideration

in the calculation of hardware reliability and the application of architectural constraints.

Annex D of Reference 3 lists failure modes for various types of electrical items which may

be excluded from consideration and, where applicable, the conditions which apply to the

exclusion.

In other cases, it may be possible to design the system to detect unsafe failure modes with a

high degree of confidence using such techniques as:

· dynamic operation (the system reverts to a safe state unless pulses are generated

continuously);

8

· continuous monitoring of an analogue signal for example to detect out of range

values indicative of sensor failure;

· loop continuity test by standing current;

· dynamic self testing (e.g. safety relay).

Again, in the above cases, certain failure modes may be excluded from consideration in the

reliability analysis and the architectural constraints, given an adequate technical justification

(which might come out of FMEA for example).

9

3.0 VALIDATION OF PROPOSED ARCHITECTURAL CONSTRAINTS

In order to validate the above, a number of configurations of typical low complexity systems

have been assessed using generic data in order to demonstrate that they achieve at least the

SIL levels appropriate to their architecture.

3.1. Validation Using Generic Data

Appendix A derives some failure rate values for the most commonly used devices in low

complexity safety related systems in the machinery sector, assuming proper device selection

for duty and rating, installation and maintenance. These are shown in Table 4 below:

DEVICE FAILURE MODE FAILURE RATE

l(y-1)

Limit switch Single contact fails to open

or close on demand due to

contact or mechanical failure

1.4 x 10-1

Limit switch, positively

opening on demand

Single contact fails to open

on demand due to contact or

mechanical failure

3.4 x 10-3

Relay Single contact fails to open

or close on demand due to


1.7 x 10-3

Contactor Three phase ac contacts fail

to open on demand due to


5.5 x 10-3

TABLE 4: GENERIC DEVICE FAILURE RATES

A simple interlocking circuit is considered, comprising a sensor (limit switch, positively

opening on demand), logic solver (single relay) and final element (contactor) which stops a

10

motor (or prevents a motor from starting) if a guard is not in place. The PFD is assessed

below for a sample of Hardware Fault Tolerance 0 and 1 architectures assuming that a full

proof test is carried out annually. In systems with redundancy, the proof test is assumed to

check that all sensors, logic solvers and final elements are working.

A schematic of a possible implementation of a single channel system is shown in Figure 3.

For a single element:

PFD = lDUT/2

where lDU = Dangerous undetected failure rate

T = Interval between proof tests = 1 year.

Hence, applying the failure rates from Table 3:

PFD for the Sensor element, PFDS = 1.7 x 10-3

PFD for the Logic Solver, PFDLS = 8.5 x 10-4

PFD for the Final Element, PFDFE = 2.8 x 10-3

By summation, the PFD for the complete single channel is:

PFDSC = PFDS + PFDLS + PFDFE = 5.3 x 10-3

For systems with 1 out of 2 redundancy (Hardware Fault Tolerance = 1) the system PFD is

given by:

PFD1oo2 = 4/3 PFDSC2

For systems with 1 out of 3 redundancy (Hardware Fault Tolerance = 2) the system PFD is

given by:

11

PFD1oo3 = 2 PFDSC3

Common cause failures are included in the assessment below assuming beta factors of 1%,

5% and 10%. (To simplify the formulae, common cause failures are assumed to be added to

the total element failure rates rather than being part of the total failure rates as is

conventional. This has little effect on the calculated numbers.)

CONFIGURATION FORMULA FOR PFD SYSTEM PFD Architectural

Constraint

(Table 2)b=1% b=5% b=10%

Case 1, Hardware Fault Tolerance 0

S1 LS1 FE1 PFDSC = PFDS + PFDLS + PFDFE 5.3x10-3

(SIL 2)

SIL 1

(PFD³10-2 to

<10-1)

Case 2, Hardware Fault Tolerance 1 S1 LS1 FE1

S2 LS2 FE2

4/3 PFDSC 2 + b PFDSC 9.0 x 10-5

(SIL 4)

3.0 x 10-4

(SIL 3)

5.7 x 10-4

(SIL 3)

SIL 2

(PFD³10-3 to

<10-2)


S1 LS1 FE1

S2 LS2 FE2

4/3 PFDS 2 +4/3 PFDLS

2 + 4/3

PFDFE 2 + b PFDSC

6.8 x 10-5

(SIL 4)

2.8 x 10-4

(SIL 3)

5.5 x 10-4

(SIL 3)

SIL 2

(PFD³10-3 to

<10-2)


S1 LS1 FE1

S2 LS2 FE2

S3 LS3 FE3

2 PFDSC 3 + b PFDSC 5.3 x 10-5

(SIL 4)

2.7 x 10-4

(SIL 3)

5.3 x 10-4

(SIL 3)

SIL 3

(PFD³10-4 to

<10-3)

TABLE 5: PFDs FOR VARIOUS CONFIGURATIONS, TAKING INTO ACCOUNT

CCF

Since only generic data has been used and no FMEA carried out, it is appropriate to apply

the architectural constraints of Table 2 assuming a SFF of <60%. It can be seen that, except

in Case 4 with b = 5% and 10%, the SIL is constrained by the architecture to at least one

level lower than would be indicated by the reliability analysis alone. (In Case 4 with b = 5%

and 10%, the CCF contribution constrains the calculated PFD to the same SIL as the

architectural constraint.) The SIL assessment therefore introduces a comfortable margin of

12

conservatism to allow for the uncertainty in the data resulting from the absence of detailed

analysis, e.g. by FMEA. The use of Table 3, which would result in even more restriction, is

considered overly conservative. If a higher SFF can be justified by reliable field data or

detailed analysis by FMEA, the architectural constraints would be relaxed and consequently

the SIL assessment would depend to a greater extent on the reliability assessment. The

above discussion suggests that the architectural constraints of Table 2 introduce a

reasonable, but not unduly restrictive, degree of conservatism.

3.2. Application to Actual Architectures

Appendix C considers 18 circuits which are in actual use for machinery safeguarding. For

each circuit, the SIL imposed by the architectural constraints of Table 2 is derived, assuming

a SFF of<60%. Tables C2 to C19 in Appendix C list the cutsets for each circuit (including

Common Cause Failures (CCFs)). If the cutset list contains any single unrevealed failures

(i.e. hardware fault tolerance = 0), from Table 2, the architectural constraint is SIL1. For a

SIL2 constraint, the cutset list must not contain any single unrevealed failure events. The

derived SIL constraints are presented in Table C1. (Note that single CCFs listed in the

cutsets are not treated as single failures since CCFs are by definition multiple failures.)

The PFD/Frequency of Dangerous Failure of each circuit is assessed using the data derived

in Appendix A and assuming a yearly proof test with Common Cause Failure beta factor

values of 1%, 5% and 10%. The circuits are also assessed assuming only a yearly functional

test. The numerically assessed SIL levels for each circuit, for both PFD and frequency of

dangerous failure, are based on Table 1. These SIL levels are presented in Table C1 for

comparison with the proposed architectural constraints of Table 2.

It can be seen from Table C1 that, in all cases, applying the architectural constraint results in

the same or a lower SIL as compared to that calculated from the failure rate or PFD, with the

most severe constraints of up to two levels being at the higher calculated SILs. Thus the

“default” architectural constraint (SFF<60%) has a relatively small effect at the lower SILs

but an increasingly important effect as higher SILs are required. This is consistent with the

need to allow for uncertainties in the reliability data and systematic failures at the higher SIL

levels.

13

If a SFF better than 60% can be demonstrated from dependable data or from FMEA, then

the architectural constraints will be relaxed by up to 2 levels. In most cases, this will allow a

higher SIL to be claimed. The scheme therefore meets the requirement of allowing a higher

SIL if there is adequate justification.

Appendix C also demonstrates that functional testing of machinery interlock circuits often

results in lower SILs compared to cases where full proof testing is performed.

4.0 PROPOSED REQUIREMENTS FOR HARDWARE RELIABILITY

The requirements for estimating the probability of failure of safety functions due to random

hardware failures are fundamentally the same as in IEC 61508, i.e. analysis should be

undertaken to demonstrate a probability of failure equal to or better than the target failure

measure.

If dependable data for the failure modes of interest of the exact type of each component part

of the system are available from a similar application operating in a similar environment, the

hardware reliability analysis can be carried out as described in IEC 61508. If specific data

are not available, conservative generic data may be used for the hardware reliability

analysis.

4.1. Generic Failure Rates

Low complexity systems in the machinery sector are likely to comprise a limited number of

devices e.g.

· Limit switches

· Relays

· Contactors

Data for some such devices has been derived in Appendix A. The data is valid only if

devices are properly selected for the required duty and rating and properly installed and

maintained.

14

Appendix D presents a list of some of the components likely to be found in low complexity

systems. The list is based on the component failure mode lists in Reference 3. For each

component, a conservative value of failure rate is given which can be shown by reference to

generic data to be rarely exceeded.

Appendix D also lists potential failure modes of the components which should be considered

in the reliability analysis along with a suggested value for the percentage of the total failure

rate which applies to that failure mode (Failure Mode Ratio). Those failure modes marked

with an asterisk in Appendix D can be effectively designed out of the system and, given

adequate design, need not be considered (see Reference 3, Table D.5 for guidance on the

necessary design features).

5.0 PROPOSED REQUIREMENTS FOR ACTION ON FAILURE DETECTION

The proposed requirements for action on failure detection are identical to those in Section

7.4.6 of IEC 61508. In low complexity systems, there are unlikely to be self-monitoring or

diagnostic features as may be provided on more complex, and particularly PE based

systems. Low complexity systems may, however, have fail to safety design features and/or

self checking features which should be designed to result in a safe state on failure.

6.0 PROPOSED REQUIREMENTS FOR DEFENCES AGAINST SYSTEMATIC

FAILURE

Annexes A and B of IEC61508-2 [Reference 1] recommend, for each SIL, techniques and

measures to apply to avoid failures during the safety lifecycle of a system, and to control

failures during operation should they occur. Measures to control failures are built-in

features of safety related systems.

Tables A.16 to A.18 of Reference 1 recommend techniques and measures for controlling

systematic failures during operation. Tables B.1 to B.5 of Reference 1 recommend

techniques and measures to avoid systematic failures during different phases of the lifecycle

of the system (including design, operation and maintenance). ‘Highly recommended’

techniques and measures must be applied to all systems unless there are good reasons for

their not being used, and these reasons must be documented. Application of ‘recommended’

15

techniques is optional but at least one of the available techniques must be applied [Reference

1]. Failure to adequately embrace the recommended techniques will adversely affect the

SIL which can be claimed.

The application of these techniques and measures to low complexity systems is considered

below.

The majority of measures which could be applied to control systematic failures caused by

hardware and software design (Table A.16 in Reference 1) are unlikely to be applicable to

low complexity systems (e.g. interlock guard systems). These techniques and measures

have been removed from the table below. Low complexity systems are unlikely to

incorporate the sophisticated components or design processes to which several of the

techniques and measures (e.g. program sequence monitoring) would apply.

All the highly recommended measures identified to control systematic failures due to

environmental and operational factors (Tables A.17 and A.18 in Reference 1) are applicable

to low complexity systems. However, again, some of the recommended techniques are of

limited suitability for low complexity systems. The recommendations considered applicable

to low complexity systems for Tables A16 to A18 in Reference 1 have been combined

together in Table 6 below.

16

Technique/Measure See IEC SIL1 SIL2 SIL3 SIL4 61508-7

TECHNIQUES AND MEASURES TO CONTROL SYSTEMATIC FAILURES CAUSED BY HARDWARE DESIGN Failure detection by on-line monitoring A.1.1 R R R R (Note 2) low low medium high Antivalent signal transmission A.11.4 R R R R

low low medium high Standard test access ports A.2.3 R R R R

low low medium high Use of well-tried components B.3.3 R R R R

low Low medium high Diverse hardware (Note 3) B.1.4 - – R R

low low medium high Separation of E/E/PE safety-related systems B.1.3 HR HR HR HR from non-safety-related systems low low medium high Measures against voltage breakdown, A.8 HR HR HR HR voltage variations, overvoltage, low voltage mandatory mandatory mandatory mandatory Separation of electrical energy lines from A.11.1 HR HR HR HR information lines (Note 4) mandatory mandatory mandatory mandatory Increase of interference immunity A.11.3 HR HR HR HR

mandatory mandatory mandatory mandatory Measures against the physical environment A.14 HR HR HR HR (for example, temperature, humidity, water, mandatory mandatory mandatory mandatory vibration, dust, corrosive substances) Measures against temperature increase A.10 HR HR HR HR

low low medium high Spatial separation of multiple lines A.11.2 HR HR HR HR

low low medium high Modification protection B.4.8 HR HR HR HR

mandatory mandatory mandatory mandatory At least one of the techniques in the light grey shaded group is required.

NOTE 1 The overview of techniques and measures associated with this table is in annexes A and B of IEC 61508-7. The relevant subclause is referenced in the second column.

NOTE 2 For E/E/PE safety-related systems operating in a low demand mode of operation (for example emergency shutdown systems); the diagnostic coverage achieved from failure detection by on-line monitoring is generally low or none.

NOTE 3 Diverse hardware is not required if it has been demonstrated, by validation and extensive operational experience, that the hardware is sufficiently free of design faults and sufficiently protected against common cause failures to fulfil the target failure measures.

NOTE 4 Separation of electrical energy lines from information lines is not necessary if the information is transported optically, nor is it necessary for low power lines which are designed for energising components of the E/E/PES and carrying information from or to these components.

TABLE 6: DESIGN TECHNIQUES AND MEASURES TO CONTROL

SYSTEMATIC FAILURES CAUSED BY HARDWARE DESIGN IN LOW

COMPLEXITY SYSTEMS

17

Many of the measures identified in Tables B.1 to B.5 to help avoid systematic errors during

system design, operation and maintenance are applicable to low complexity systems. The

applicable recommendations have been combined in Table 7 below:

Technique/Measure See IEC SIL1 SIL2 SIL3 SIL461508-7

GENERAL RECOMMENDATIONS TO AVOID MISTAKES DURING THE LIFECYCLE Project management B.1.1 HR HR HR HR

low Low medium high Documentation B.1.2 HR HR HR HR

low Low medium high RECOMMENDATIONS TO AVOID MISTAKES DURING SPECIFICATION OF REQUIREMENTS Structured specification B.2.1 HR HR HR HR

low Low medium high Inspection of the specification B.2.6 – HR HR HR

low Low medium high RECOMMENDATIONS TO AVOID INTRODUCING FAULTS DURING DESIGN AND DEVELOPMENT

Observance of guidelines and standards B.3.1 HR HR HR HR mandatory Mandatory mandatory mandatory

Inspection of the hardware or walk-through of B.3.7 - R R R the hardware B.3.8 low low medium high

RECOMMENDATIONS TO AVOID FAULTS AND FAILURES DURING OPERATION AND MAINTENANCE PROCEDURES

Operation and maintenance instructions B.4.1 HR HR HR HR mandatory mandatory mandatory mandatory

User friendliness B.4.2 HR HR HR HR mandatory mandatory mandatory mandatory

Maintenance friendliness B.4.3 HR HR HR HR mandatory mandatory mandatory mandatory

Limited operation possibilities B.4.4 - R HR HR low low medium high

Protection against operator mistakes B.4.6 - R HR HR low low medium high

Operation only by skilled operators B.4.5 - R R HR low low medium high

RECOMMENDATIONS TO AVOID FAULTS DURING TESTING/SAFETY VALIDATION Functional testing B.5.1 HR HR HR HR

mandatory mandatory mandatory mandatory Functional testing under environmental B.6.1 HR HR HR HR conditions mandatory mandatory mandatory mandatory Interference surge immunity testing B.6.2 HR HR HR HR

mandatory mandatory mandatory mandatory Simulation and failure analysis B.3.6 - R R R

B.6.6 low low medium high Field experience B.5.4 R R R NR

low low medium At least one of the techniques in the light grey shaded group is required.

NOTE 1 The overview of techniques and measures associated with this table is in annex B of IEC 61508-7. Relevant subclauses are referenced in the second column.

TABLE 7: RECOMMENDATIONS TO AVOID MISTAKES DURING THE

LIFECYCLE OF LOW COMPLEXITY SYSTEMS

18

7.0 REQUIREMENTS FOR PROVEN-IN-USE

If a system can be demonstrated to be “proven-in-use” in accordance with the requirements

of IEC 61508 Sections 7.4.7.6 to 7.4.7.12, then it is not necessary to satisfy the conditions

for the avoidance of systematic failure as outlined in Section 6.

In order to be considered proven-in-use, there must be supporting data meeting the

requirements for dependable data as outlined in Section 2.1 for the identical system or

subsystem. However, in addition, the data must be derived from an application functionally

similar to the target application in order to demonstrate that the system or subsystem is free

from design errors and other causes of systematic failure. Therefore, data from a

functionally different application or manufacturers’ data on components will not generally

be acceptable.

However, in the context of low complexity systems, evidence supporting a proven-in-use

argument for some of the subsystems or component parts of a system may be drawn from a

different functional application if that application meets the following conditions:

· The component considered has the same function within the application as in the

target application. This condition will generally be satisfied by components which

have a single, simple function e.g. simple combinatorial logic, sensing elements, trip

amplifiers, valve actuators, but is not likely to be met by more complex,

multifunctional devices and, in particular, programmable devices.

· The component is used in a similar physical environment as the target application

and has similar protection against external influences (EMI, temperature, humidity,

dust etc.).

· The component is subjected to similar mechanical and/or electrical stresses and duty

cycle (for mechanical or electromechanical devices)

· Data collected from the application(s) meets the requirements of Section 2.1 for

dependable data.

19

It is envisaged that this approach may be useful for certain standard system building blocks

such as safety relays and trip amplifiers where a proven-in-use demonstration may obviate

the need for a hardware reliability analysis and FMEA and a consideration of defences

against systematic failure. (It is noted that this approach is no different from that used of

necessity for smaller component parts such as terminal blocks, simple relays, resistors,

capacitors, semiconductors, since it is not possible to assess their reliability or defences

against systematic failures and reliance must be placed on generic reliability data and an

inherent assumption that they are proven-in-use with respect to systematic failures.)

However, it must be emphasised that even if some or all of the subsystems or component

parts of a system are deemed proven-in-use, cognisance will still need to be taken of all the

requirements outlined in this document as far as they apply at the system level.

8.0 REFERENCES

1 IEC 61508-2 ‘Functional Safety of electrical/electronic/programmable electronic

safety-related systems – Part 2: Requirements for electrical/electronic/programmable

electronic safety-related systems’, 1999.

2 ‘Health and Safety Executive – Analysis of Machinery Guard Interlock Circuits’, R96-

157(N), First Issue, November 1996, R M Consultants Ltd., (J2403).

3 PrEN 954-2, Safety of machinery, Safety related parts of control systems, Part 2:

validation.

4 BS 5760 Part 2 1994, Reliability of systems, equipment and components, Part 2.

Guide to the assessment of reliability.

5 MIL-HDBK 217, Reliability Prediction of Electronic Equipment.

20

FIGURE 3: GUARDING SYSTEM, HARDWARE FAULT TOLERANCE = 0

Open

Closed

Motor Contactor

K1

Relay K1

Note: Guard shown in open position

21

Printed and published by the Health and Safety ExecutiveC30 1/98

22

APPENDIX A:

DERIVATION OF COMPONENT FAILURE RATES

This Appendix derives failure rates for the primary components used in low complexity

systems.

Limit Switch

From Reference A1, Section 14.1:

lb = 4.3 x 10-6/h (Limit Switch)

pL = 1.28 (Stress 0.2, inductive load)

pC = 1.0 (Not push button or toggle)

pQ = 2 (Non–MIL Spec)

pE = 3 (Ground, Fixed)

33.0 f/106h (0.289f/y)


lg = 13 x 10-6/h (Limit Switch, Ground Fixed environment)


26.0 f/106h (0.228f/y)

Taking the higher of these, the failure rate is 33f/106 h or 0.289f/y. This applies to a single

pole single throw (SPST) switch.

Failure modes are assumed to be 50% fail safe, 50% fail danger, allocated equally between

mechanical parts and the contacts, i.e. 7.2 x 10-2f/y per mode. This failure rate would apply

to each contact on a multi-contact switch.

Limit Switch, positively opening on demand

The failure rate of a switch which is driven open directly by a mechanical force is expected

to be much lower. The data for a pushbutton is considered the most applicable although

data is not available to distinguish between opening and closing modes of operation. From

Reference A1, Section 14.1:

A1

lb = 0.1 x 10-6/h (Pushbutton)


pC = 1.0 (SPST)



0.77 f/106h (6.7 x 10-3f/y)


lg = 0.3 x 10-6/h (Pushbutton, Ground Fixed environment)


0.6 f/106h (5.3 x 10-3f/y)

Taking the higher of these, the failure rate is 0.77f/106 h or 6.7 x 10-3f/y. This applies to an

SPST switch.



to each additional contact on a multi-contact switch.

Relays


lb = 0.0059 x 10-6/h (85oC rated temp, 25oC ambient)


pC = 1.75 (Single pole, double throw)

pcyc = 1.0 (< 10 cycles/h, non–MIL Spec.)

pF = 5 (Balanced Armature, General purpose, 0-5 Amp)

pQ = 2.9 (Commercial)


0.383 f/106h (3.4 x 10-3f/y)

A2


lg = 0.12 x 10-6/h (General purpose, balanced armature, Ground Fixed

environment)

pQ = 2.9 (Non–Mil Spec)

0.348 f/106h (3.0 x 10-3f/y)

From Reference A3:

lref = 0.004 x 10-6/h (general switching relay)

pL = 20 (dc, inductive load)

pT = 1 (< 40oC)

ps = 1.0 (< 1 cycle/h)

pE = 3 (Dust tight)

0.24 f/106h (2.1 x 10-3f/y)

Reference A4 gives a Mean Time To Failure (MTTF) for a relay of 108 hours, i.e. a failure

rate of 0.01 f/106h with 90% of failures in the dangerous direction.

Taking the highest of the above, the failure rate is 0.383 f/106 h or 3.4 x 10-3f/y. This applies

to an SPST contact form.



to each additional contact on a multi-contact relay.

A3

Contactors


lb = 0.0084 (85oC rated, 40oC operation)

pL = 1.28 (20% stress, inductive load)

pC = 2 (3PST)

pCYC = 1 (Non–Mil Spec, < 10 cycles/h)

pF = 10 (25-600 Amp contactor, balanced armature)

pQ = 2.9 (Commercial)

pE = 2 (Ground Fixed)

1.2 f/106h (1.1 x 10-2f/y)


lg = 0.12 (Contactor, high current, solenoid, ground fixed environment,

SPST)

pQ = 2.9 (Non–MIL Spec)

0.35 f/106h (3.0 x 10-3f/y)

From Reference A4:

= 0.25 x 10-6/h(3 pole ac contactor) lref

pS = 1.0 (< 1 cycle/h)

pU = 1 (< 400V ac)

pI = 0.71 (50% rated current)

pT = 1

pE = 1

0.18 f/106h (1.6 x 10-3f/y)

Reference A4 gives an MTTF for a contactor of 2.5 x 106 hours, i.e. a failure rate of

0.4f/106h with 90% of failures in the dangerous direction.

Taking the worst case figure, the failure rate is 1.2 x 10-6f/h or 1.1 x 10-2f/y. Failure Modes

are assumed to be 50% fail danger, 50% fail safe, i.e. 5.5 x 10-3f/y per mode.

A4

Wiring

The failure rate of wiring is more dependent on external causes (e.g. flexing, chafing) than

on the wire itself which, in ideal conditions, will not fail. It is therefore not possible to

predict a failure rate from generic data. A value of 0.01 failures per year has been allocated

(50% open circuit, 50% short circuit between conductors, i.e. 0.005f/y per mode).

Link

Some systems use a link which must be physically broken in order to open the guard. No

dangerous failure has been identified and the failure rate is considered to be effectively zero.

LEGEND

lb = Base failure rate (failures per 106 hours)

lref = Reference (= Base) failure rate (failures per 106 hours)

lg = Failure rate for Ground Fixed environment (failures per 106 hours)

pC = Complexity or Configuration factor

pCYC = Cycling factor

pE = Environment factor

pF = Form factor

pI = Current stress factor

pL = Load stress factor

pQ = Quality factor

pT = Temperature factor

pS = Cycling factor

pU = Voltage stress factor

pV = Voltage stress factor

A5

REFERENCES

A1 MIL-HDBK 217F (Notice 2), Reliability Prediction of Electronic Equipment, 28th

February 1995, Parts Stress Analysis.

A2 MIL-HDBK 217F (Notice 2), Reliability Prediction of Electronic Equipment, 28th

February 1995, Appendix A, Parts Count Reliability Prediction.

A3 Siemens AG SN 29500 Part 7, Failure Rates of Components, Expected Values for

Relays, April 1992

A4 Siemens AG SN 29500 Part 11, Failure Rates of Components, Expected Values for

Contactors, August 1990

A6

APPENDIX B:

PFD OF A REDUNDANT SYSTEM SUBJECT TO ONLY FUNCTIONAL TESTING

Consider the following system comprising two redundant elements in parallel:

Element A

Element B

The elements have dangerous undetected failure rates of lA and lB respectively. The system

is functionally tested at intervals of T. The functional test will only detect a failure if both

elements are failed; if only one element is failed, the system is working and will pass the

functional test. (This must be distinguished from a proof test which would be expected to

detect failure of one element even if the system is working).

The probability that A is failed but B is not failed at a time t is:

-lAt -lBtP = (1- e ) ́ eBA

= e-lBt - e-(lA+lB )tP BA

The probability that B then fails in the interval t to t+dt is

-lBt - e-(lA+lB )tPAB = (e )l dtB

Similarly, the probability of A failing in the interval t+dt, B having already failed is:

-lAt - e-(lA+lB )tPBA = (e )l dtA

The total probability of system failure in the interval t+dt is therefore:

PSYS = (l e-lAt + lBe-lBt

- (lA + lB )e-(lA+lB )t

)dtA

B1

0

0

The mean time to failure (MTTF) is given by

¥-lAt

+ lBe-lBt

- (lA + lB )e-(lA+lB )tMTTF = ò t(l e )dtA

Integrating by parts, it can be shown that:

¥ 1xte-xt dt =ò x

Therefore,

1 1 1MTTF = + -

l lB l + lA A B

If the system is functionally tested at intervals of T, on average, the system failure will

remain undetected for an interval of = T/2. Assuming that the time to effect repair (or put

the machine into a safe state) is short in comparison, the effective mean time to repair

(MTTR) is also T/2. Therefore, the average probability of the system being in a failed state

(i.e. PFD for a protective system) is:

MTTR MTTR T 1PFD = » =

MTTF MTTR MTTF 2 1 l

1

A +

1 lB

ö ÷÷ ø

+ æççè

+ -l lBA

If lA = lB = l, this simplifies to:

lTPFD =

3

The PFD for a single channel system is:

lTPFD =

2

B2

It can be seen that if the system is only functionally tested, there is very little benefit from

redundancy.

B3

APPENDIX C:

CALCULATION OF FAILURE MEASURES AND COMPARISON WITH

ARCHITECTURAL CONSTRAINTS FOR MACHINERY GUARDING CIRCUITS

Methodology

Reference C1 reported a comparison of qualitatively assessed against numerically assessed

SILs for a number of machinery guard interlock circuits.

The circuits considered are presented in Figures C1 to C18. Each circuit is a different

means of achieving the same purpose i.e. to stop motive power to a machine if a guard is

opened or to prevent motive power being applied if the guard is open. Each circuit does this

by interrupting the current to the motor (or to the circuit breaker controlling the motor) if the

guard is open.

Fault trees were constructed to show the failures or combinations of failures which would

prevent the motor from stopping if a guard is opened.

Many of the circuits incorporate checking features which check that the relays are capable of

dropping out or pulling in, as would be required to stop the motor, each time the guard is

operated. For example, if a relay is stuck open, the motor cannot be restarted when the

guard is closed. The circuits were analysed to determine what failures would be revealed in

this way. It is assumed in the fault trees that the guard is operated daily and these faults are

classed as revealed with a repair time of 24 hours in the fault trees so that the probability of

failure on demand at time = 24 hours is correctly calculated.

It is assumed that all other faults are unrevealed except by proof test. Results have been

calculated assuming a proof test interval of one year.

In some multi-channel systems, failures of individual channels are unrevealed but failure of

all channels (i.e. system failure) is revealed. These situations have been modelled by

treating failure of one of the channels as revealed and the others as unrevealed. The

Probability of Failure on Demand (PFD) is the probability that the machine does not stop or

can be started with the guard open. It is not therefore the probability of harm to the

operator. This is given by:

Hazard Rate = PFD x Frequency of operator attempting to cross barriers by opening

C1

guards without stopping machine (Fdemand)

In certain situations Fdemand will be small and the above relationship applies.

In other situations, it will be quite normal for the operator to rely on the opening of the

guard to stop the machine and will routinely and frequently be at risk if the interlock fails to

operate. In these circumstances, the relevant quantity is the Failure Rate since if a failure

occurs, the operator is at high risk the next time he opens the guard. Tables C2 – C19 list

the cutsets for each circuit, i.e. the combinations of component failures which would result

in system failure. The SIL of each circuit imposed by the architectural constraints is

assessed against the proposed scheme of Table 2 which defines the SIL level according to

the hardware fault tolerance. The fault tolerance is derived from the cutset lists in Tables C2

– C19. If the cutset list contains one or more single order unrevealed faults, (except CCFs

which are by definition multiple failures) then the hardware fault tolerance is zero. If the

cutset list has no single order unrevealed faults but has one or more second order unrevealed

faults, then the hardware fault tolerance is 1. The architectural constraint on the SIL is taken

from Table 2 assuming a SFF of < 60%.

The PFD and Frequency of Failure of each circuit are assessed assuming each component

within the circuit is proof tested annually and assuming various values of Common Cause

Failure beta-factor (1%, 5% and 10%). However in the industries where such interlock

circuits are most likely to be used it is unlikely that proof testing of individual circuit

components would be performed. Testing would most probably take the form of an annual

functional test. The PFD and Frequency of Failure for each of the 18 circuits have therefore

also been assessed assuming an annual functional test is performed. The SILs

corresponding to the assessed PFDs and Frequencies of Failure are derived.

The revised numerically assessed SIL values have then been compared to the architectural

constraints on SIL value for each circuit.

Common Cause Failure

Common cause failure (CCF) has been modelled in the assessment of each of the 18 circuits

except for Circuit 1 which has no redundant components.

C2

Beta factors of 1%, 5% and 10% have been assumed. Where the circuit has two limit

switches the CCF rate (and beta-factor) has been assumed to apply to the lowest failure rate

value of the two switches.

Annual Functional Tests

Appendix B shows that the effect of functional testing (as opposed to proof testing which

tests that all channels of a redundant system are working) is to reduce the PFD by a factor of

2/3 as compared to the single channel system. In effect, this gives very little credit for

redundancy. To estimate the PFD of a redundant pair of items therefore, assuming only

functional checks, a CCF event has been included using a beta factor of 2/3 applied to the

redundant item with the lowest failure rate. Where the circuits have multiple redundant

systems this approach is slightly conservative.

Results

Table C1 presents the results of the analyses outlined above. For each of the 18 circuits

analysed, the SILs corresponding to both the calculated failure rate and PFD are presented,

along with the architectural constraint on SIL resulting from the application of Table 2,

assuming a SFF of <60%.

The SIL values derived on a failure rate basis assuming an annual proof test are generally

equal to or lower by one level than the SIL imposed by the architectural constraints. The

only exception is Circuit 12 assuming no or a very low CCF, which is restrained by two

levels. This circuit has a very low failure rate because of a high degree of self testing.

The architectural constraints are more restrictive if the SIL is calculated on the basis of PFD,

reducing the SIL by two levels in many cases.

The application of yearly functional testing results in a lower numerically assessed SIL than

yearly proof testing. However, in no case is it lower than the architectural constraint.

Conclusions

The architectural constraints of Table 2 are reasonably consistent with the calculated failure

rate and PFD for “low complexity” systems. In all cases, applying the architectural

constraint results in the same or a lower SIL as is calculated from the failure rate or PFD,

with the most severe constraints (up to two levels) being at the highest calculated SILs.

which suggests that the “default” constraint (SFF<60%) is set at the correct level.

C3

If a SFF better than 60% can be demonstrated from good data or from FMEA, then the

architectural constraints will be relaxed by up to 2 levels. In most cases, this will allow a

higher SIL to be claimed.

References

C1 ‘Health and Safety Executive – Analysis of Machinery Guard Interlock Circuits’, R96-

157(N), First Issue, November 1996, R M Consultants Ltd., (J2403).

C4

Circ

uit

Har

dwar

e Fa

ult

Tole

ranc

e

Arc

hite

ctur

al C

onst

rain

t (SI

L)

for S

FF =

Fa

ilure

Rat

e B

asis

PF

D B

asis

<60%

(D

efau

lt)

60%

-<9

0%

90%

-<9

9%

³99

%

No

CC

F.

PTI =

1y

CC

F,

ȕ=1%

.PT

I = 1

y

CC

F,

ȕ=5%

.PT

I = 1

y

CC

F,

ȕ=10

%.

PTI =

1y

Func

tiona

l te

st =

1y,

(ȕ

=67%

)

No

CC

F.

PTI =

1y

CC

F,

ȕ=1%

.PT

I = 1

y

CC

F,

ȕ=5%

.PT

I = 1

y

CC

F,

ȕ=10

%.

PTI =

1y

Func

tiona

l te

st =

1y,

(ȕ

=67%

)

1 0

1 2

3 3

1 1

1 1

1 2

2 2

2 2

2 0

1 2

3 3

2 2

2 2

2 2

2 2

2 2

3 0

1 2

3 3

2 2

2 2

2 2

2 2

2 2

4 0

1 2

3 3

2 2

2 2

2 3

3 3

3 3

5 0

1 2

3 3

2 2

2 2

2 3

3 3

3 3

6 0

1 2

3 3

2 2

2 2

2 3

3 3

3 3

7 0

1 2

3 3

2 2

2 2

2 2

2 2

2 2

8 1

2 3

4 4

2 2

2 2

2 3

3 3

3 2

9 1

2 3

4 4

3 3

3 3

2 3

3 3

3 3

10

1 2

3 4

4 3

3 3

3 2

4 4

3 3

2 11

1

2 3

4 4

3 3

3 2

2 4

4 4

4 3

12

1 2

3 4

4 4

4 3

3 2

4 4

4 4

3 13

1

2 3

4 4

3 3

3 3

2 4

4 3

3 2

14

1 2

3 4

4 2

2 2

2 2

3 3

3 3

2 15

1

2 3

4 4

2 2

2 2

2 3

3 3

3 2

16

1 2

3 4

4 3

3 3

3 2

4 4

4 4

4 17

1

2 3

4 4

3 3

3 3

2 4

4 4

4 4

18

1 2

3 4

4 3

3 3

3 2

4 4

4 4

4

TA

BL

E C

1: C

OM

PAR

ISO

N O

F A

RC

HIT

EC

TU

RA

L C

ON

STR

AIN

TS

AN

D N

UM

ER

ICA

LL

Y A

SSE

SSE

D S

ILS

C5

FIGURE C1: CIRCUIT 1

C7


C8


C9


C10


C11


C12


C13


C14


C15


C16


C17


C18


C19


C20


C21


C22


C23


C24

TABLE C2: CUTSET LISTING FOR TOP EVENT CCT1

Version 5.27 Date(dd-mm-yy): 29-08-01 Time: 15.45.14 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT1 Freq: 1.01E-02 Prob: 5.03E-03

No. Events Frequency Probability 1 S1NCMFTO 1.70E-03 8.50E-04 2 S1NCCFTO 1.70E-03 8.50E-04 3 CONDS/C 5.00E-03 2.50E-03 4 K1FTDO 1.68E-03 8.40E-04

C43

1 2 3 4 5



No. Events Frequency Probability S1NCMFTO 1.70E-03 8.50E-04 S1NCCFTO 1.70E-03 8.50E-04 CONDS/C 5.00E-03 2.50E-03 CCFRELDO 1.68E-05 8.40E-06 K1FTDO K2FTDO 2.82E-06 9.41E-07

C44



No. Events Frequency Probability 1 S1NCMFTO 1.70E-03 8.50E-04 2 S1NCCFTO 1.70E-03 8.50E-04 3 CONDS/C 5.00E-03 2.50E-03 4 CCFRDOR 1.68E-05 4.60E-08 5 K2FTDOR K3FTDOR 1.55E-08 2.12E-11

C45

1 2 3 4 5 6 7 8 9 10 11 12 13



No. Events Frequency Probability S1NCMFTO 1.70E-03 8.50E-04 S1NCCFTO S1NOCFTC 2.89E-06 9.63E-07 CONDS/C S1NOCFTC 8.50E-06 2.83E-06 CCFRDOR S1NOCFTC 1.44E-08 3.91E-11 CONDS/C CONDO/C 2.50E-05 8.33E-06 S1NCCFTO CONDO/C 8.50E-06 2.83E-06 S1NCCFTO K3FTPI 2.86E-06 9.52E-07 CCFRDOR K3FTPI 1.42E-08 3.87E-11 CONDS/C K3FTPI 8.40E-06 2.80E-06 CCFRDOR CONDO/C 4.22E-08 1.15E-10 K1FTDOR K2FTDOR S1NOCFTC 1.32E-11 1.80E-14 K1FTDOR K2FTDOR CONDO/C 3.88E-11 5.30E-14 K1FTDOR K2FTDOR K3FTPI 1.30E-11 1.78E-14

C46

1 2 3 4 5 6 7 8 9 10 11 12 13



No. Events Frequency Probability S1NCMFTO 1.70E-03 8.50E-04 S1NCCFTO S1NOCFTC 2.89E-06 9.63E-07 CONDS/C S1NOCFTC 8.50E-06 2.83E-06 CCFRDOR S1NOCFTC 1.44E-08 3.91E-11 CONDS/C CONDO/C 2.50E-05 8.33E-06 S1NCCFTO CONDO/C 8.50E-06 2.83E-06 S1NCCFTO K1FTPIR 1.44E-06 3.91E-09 CCFRDOR K1FTPIR 1.55E-10 2.12E-13 CONDS/C K1FTPIR 4.22E-06 1.15E-08 CCFRDOR CONDO/C 4.22E-08 1.15E-10 K2FTDOR K3FTDOR S1NOCFTC 1.32E-11 1.80E-14 K2FTDOR K3FTDOR CONDO/C 3.88E-11 5.30E-14 K2FTDOR K3FTDOR K1FTPIR 1.07E-13 9.75E-17

C47

1 2 3 4 5 6 7 8 9 10 11 12 13



No. Events Frequency Probability S1NCMFTO 1.70E-03 8.50E-04 S1NCCFTO S1NOFTCR 1.45E-06 3.96E-09 CONDS/C S1NOFTCR 4.27E-06 1.16E-08 CCFRDOR S1NOFTCR 1.57E-10 2.14E-13 CONDS/C CON1O/CR 1.26E-05 3.42E-08 S1NCCFTO CON1O/CR 4.27E-06 1.16E-08 S1NCCFTO K4FTPIR 1.44E-06 3.91E-09 CCFRDOR K4FTPIR 1.55E-10 2.12E-13 CONDS/C K4FTPIR 4.22E-06 1.15E-08 CCFRDOR CON1O/CR 4.60E-10 6.31E-13 K2FTDOR K3FTDOR S1NOFTCR 1.08E-13 9.87E-17 K2FTDOR K3FTDOR CON1O/CR 3.18E-13 2.90E-16 K2FTDOR K3FTDOR K4FTPIR 1.07E-13 9.75E-17

C48

1 2 3 4 5 6 7 8 9 10 11 12 13



No. Events Frequency Probability CCFSWM 1.70E-05 8.50E-06 CCFSFTO 1.70E-05 8.50E-06 CCFCSC 5.00E-05 2.50E-05 K1FTDO 1.68E-03 8.40E-04 S1NCMFTO S2NOMFTO 1.21E-04 3.98E-05 S1NCCFTO S2NOMFTO 1.21E-04 3.98E-05 COND1S/C S2NOMFTO 3.56E-04 1.17E-04 S1NCMFTO S2NCCFTO 1.21E-04 3.98E-05 S1NCMFTO COND2S/C 8.50E-06 2.83E-06 S1NCCFTO S2NCCFTO 1.21E-04 3.98E-05 S1NCCFTO COND2S/C 8.50E-06 2.83E-06 COND1S/C S2NCCFTO 3.56E-04 1.17E-04 COND1S/C COND2S/C 2.50E-05 8.33E-06

C49

1 2 3 4 5 6 7 8 9 10 11 12 13 14



No. Events Frequency Probability CCFSWM 1.70E-05 8.50E-06 CCFSFTO 1.70E-05 8.50E-06 CCFCSC 5.00E-05 2.50E-05 CCFRELDO 1.68E-05 8.40E-06 K1FTDO K2FTDO 2.82E-06 9.41E-07 S1NCCFTO S2NOMFTO 1.21E-04 3.98E-05 COND1S/C S2NOMFTO 3.56E-04 1.17E-04 S1NCMFTO S2NCCFTO 1.21E-04 3.98E-05 S1NCMFTO COND2S/C 8.50E-06 2.83E-06 S1NCMFTO S2NOMFTO 1.21E-04 3.98E-05 S1NCCFTO S2NCCFTO 1.21E-04 3.98E-05 S1NCCFTO COND2S/C 8.50E-06 2.83E-06 COND1S/C S2NCCFTO 3.56E-04 1.17E-04 COND1S/C COND2S/C 2.50E-05 8.33E-06

C50

1 2 3 4 5 6 7 8



No. Events Frequency Probability CCFRELDO 1.68E-05 8.40E-06 LINK1FTO S2NOMFTO 7.12E-22 2.34E-22 K1FTDO K2FTDO 2.82E-06 9.41E-07 LINK1FTO S2NCCFTO 7.12E-22 2.34E-22 LINK1FTO COND2S/C 5.00E-23 1.67E-23 CONLKS/C S2NOMFTO 3.56E-04 1.17E-04 CONLKS/C S2NCCFTO 3.56E-04 1.17E-04 CONLKS/C COND2S/C 2.50E-05 8.33E-06

C51



No. Events Frequency Probability 1 CCFSFTO 1.70E-05 8.50E-06 2 CCFSWM 1.70E-05 8.50E-06 3 CCFCSC 5.00E-05 2.50E-05 4 K1FTDO K2FTPI 2.82E-06 9.41E-07 5 S1MFTO S2MFTO 1.21E-04 3.98E-05 6 S2MFTO K2FTPI S1NCCFTO 2.02E-07 5.02E-08 7 S1MFTO S2NCCFTO S2NOCFTC 8.54E-06 2.10E-06 8 S1MFTO K2FTPI S2NCCFTO 2.02E-07 5.02E-08 9 K1FTDO S2MFTO S1NOCFTC 2.02E-07 5.02E-08 10 K1FTDO S1MFTO S2NOCFTC 2.02E-07 5.02E-08 11 S2MFTO S1NCCFTO S1NOCFTC 2.05E-07 5.08E-08 12 K1FTDO S1NOCFTC S2NOCFTC 2.02E-07 5.02E-08 13 K2FTPI S1NCCFTO S2NCCFTO 2.02E-07 5.02E-08 14 K2FTPI COND1S/C COND2S/C 4.20E-08 1.05E-08 15 S2MFTO COND1S/C S1NOCFTC 6.02E-07 1.49E-07 16 S2MFTO S1NCCFTO COND1O/C 6.02E-07 1.49E-07 17 S1MFTO K2FTPI COND2S/C 1.43E-08 3.57E-09 18 S2MFTO K2FTPI COND1S/C 5.95E-07 1.48E-07 19 S1MFTO COND2S/C S2NOCFTC 6.02E-07 1.49E-07 20 S1MFTO S2NCCFTO COND2O/C 6.02E-07 1.49E-07 21 K1FTDO S2MFTO COND1O/C 5.95E-07 1.48E-07 22 K1FTDO S1MFTO COND2O/C 1.43E-08 3.57E-09 23 K1FTDO COND1O/C S2NOCFTC 5.95E-07 1.48E-07 24 K1FTDO S1NOCFTC COND2O/C 1.43E-08 3.57E-09 25 K2FTPI COND1S/C S2NCCFTO 5.95E-07 1.48E-07 26 K2FTPI S1NCCFTO COND2S/C 1.43E-08 3.57E-09 27 K1FTDO COND1O/C COND2O/C 4.20E-08 1.05E-08 28 S1MFTO COND2S/C COND2O/C 4.25E-08 1.06E-08 29 S2MFTO COND1S/C COND1O/C 1.77E-06 4.39E-07 30 S1NCCFTO S2NCCFTO S1NOCFTC COND2O/C 1.02E-09 2.03E-10 31 S1NCCFTO S2NCCFTO COND1O/C S2NOCFTC 4.25E-08 8.40E-09 32 S1NCCFTO COND2S/C S1NOCFTC S2NOCFTC 1.02E-09 2.03E-10 33 COND1S/C S2NCCFTO S1NOCFTC S2NOCFTC 4.25E-08 8.40E-09 34 S1NCCFTO S2NCCFTO S1NOCFTC S2NOCFTC 1.45E-08 2.86E-09 35 COND1S/C COND2S/C S1NOCFTC S2NOCFTC 3.01E-09 5.98E-10 36 COND1S/C S2NCCFTO COND1O/C S2NOCFTC 1.25E-07 2.47E-08 37 COND1S/C S2NCCFTO S1NOCFTC COND2O/C 3.01E-09 5.98E-10 38 S1NCCFTO COND2S/C COND1O/C S2NOCFTC 3.01E-09 5.98E-10 39 S1NCCFTO COND2S/C S1NOCFTC COND2O/C 7.23E-11 1.45E-11 40 S1NCCFTO S2NCCFTO COND1O/C COND2O/C 3.01E-09 5.98E-10 41 COND1S/C COND2S/C COND1O/C S2NOCFTC 8.84E-09 1.76E-09 42 COND1S/C COND2S/C S1NOCFTC COND2O/C 2.13E-10 4.25E-11 43 COND1S/C S2NCCFTO COND1O/C COND2O/C 8.84E-09 1.76E-09 44 S1NCCFTO COND2S/C COND1O/C COND2O/C 2.13E-10 4.25E-11 45 COND1S/C COND2S/C COND1O/C COND2O/C 6.25E-10 1.25E-10

C52

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35



No. Events Frequency Probability CCFSWMR 1.70E-05 4.66E-08 CCFSFTO 1.70E-05 8.50E-06 CCFCSCR 5.00E-05 1.37E-07 S2MFTOR S1NCCFTO 6.15E-05 1.68E-07 S1MFTOR S2NCFTOR 6.71E-07 9.19E-10 S1MFTOR S2MFTOR 6.71E-07 9.19E-10 K1FTDOR S1MFTOR 1.57E-08 2.14E-11 K1FTDOR S2MFTOR 6.63E-07 9.08E-10 K1FTDOR K2FTPIR 1.55E-08 2.12E-11 K1FTDOR S2NOFTCR 6.63E-07 9.08E-10 K1FTDOR S1NOFTCR 1.57E-08 2.14E-11 K1FTDOR CON1O/CR 4.60E-08 6.31E-11 K1FTDOR CON2O/CR 4.60E-08 6.31E-11 S1MFTOR CON2S/CR 4.66E-08 6.38E-11 S2MFTOR COND1S/C 1.81E-04 4.93E-07 S1NCCFTO S2NCFTOR S1NOFTCR 5.72E-10 7.81E-13 S1NCCFTO S2NCFTOR S2NOFTCR 2.42E-08 3.31E-11 K2FTPIR S1NCCFTO S2NCFTOR 5.65E-10 7.72E-13 K2FTPIR COND1S/C S2NCFTOR 1.66E-09 2.27E-12 K2FTPIR S1NCCFTO CON2S/CR 3.92E-11 5.36E-14 COND1S/C S2NCFTOR S2NOFTCR 7.12E-08 9.73E-11 S1NCCFTO CON2S/CR S2NOFTCR 1.68E-09 2.30E-12 S1NCCFTO S2NCFTOR CON2O/CR 1.68E-09 2.30E-12 COND1S/C S2NCFTOR S1NOFTCR 1.68E-09 2.30E-12 S1NCCFTO CON2S/CR S1NOFTCR 3.97E-11 5.42E-14 S1NCCFTO S2NCFTOR CON1O/CR 1.68E-09 2.30E-12 K2FTPIR COND1S/C CON2S/CR 1.15E-10 1.58E-13 COND1S/C CON2S/CR S2NOFTCR 4.94E-09 6.76E-12 COND1S/C S2NCFTOR CON2O/CR 4.94E-09 6.76E-12 S1NCCFTO CON2S/CR CON2O/CR 1.17E-10 1.60E-13 COND1S/C CON2S/CR S1NOFTCR 1.17E-10 1.60E-13 COND1S/C S2NCFTOR CON1O/CR 4.94E-09 6.76E-12 S1NCCFTO CON2S/CR CON1O/CR 1.17E-10 1.60E-13 COND1S/C CON2S/CR CON2O/CR 3.43E-10 4.69E-13 COND1S/C CON2S/CR CON1O/CR 3.43E-10 4.69E-13

C53

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19



No. Events Frequency Probability CCFSWMR 1.70E-05 4.66E-08 CCFSFTO 1.70E-05 8.50E-06 CCFCSCR 5.00E-05 1.37E-07 S1MFTOR S2MFTOR 6.71E-07 9.19E-10 K1FTDOR S2MFTOR 6.63E-07 9.08E-10 K2FTPIR S1MFTOR 1.57E-08 2.14E-11 S1NCFTOR S2MFTOR 6.71E-07 9.19E-10 CON1S/CR S2MFTOR 1.97E-06 2.70E-09 S1MFTOR S2NOFTCR 6.71E-07 9.19E-10 S1MFTOR CON2O/CR 4.66E-08 6.38E-11 K1FTDOR K2FTPIR 1.55E-08 2.12E-11 K1FTDOR S2NOFTCR 6.63E-07 9.08E-10 K1FTDOR CON2O/CR 4.60E-08 6.31E-11 K2FTPIR S1NCFTOR 1.57E-08 2.14E-11 K2FTPIR CON1S/CR 4.60E-08 6.31E-11 S1NCFTOR S2NOFTCR 6.71E-07 9.19E-10 S1NCFTOR CON2O/CR 4.66E-08 6.38E-11 CON1S/CR S2NOFTCR 1.97E-06 2.70E-09 CON1S/CR CON2O/CR 1.37E-07 1.88E-10

C54

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43



No. Events Frequency Probability CCFCSC 5.00E-05 2.50E-05 CCFSFTO 1.70E-05 8.50E-06 CCFSWM 1.70E-05 8.50E-06 S1MFTO S2MFTO 1.21E-04 3.98E-05 CCFRDOR K3FTPI 1.42E-08 3.87E-11 S1MFTO K3FTPI S2NCCFTO 2.02E-07 5.02E-08 CCFRDOR S1MFTO S2NOCFTC 5.08E-10 1.83E-12 CCFRDOR S1NOCFTC S2NOCFTC 5.08E-10 1.83E-12 K3FTPI COND1S/C COND2S/C 4.20E-08 1.05E-08 S1MFTO S2NCCFTO S2NOCFTC 8.54E-06 2.10E-06 S2MFTO S1NCCFTO S1NOCFTC 2.05E-07 5.08E-08 K3FTPI S1NCCFTO S2NCCFTO 2.02E-07 5.02E-08 S2MFTO K3FTPI S1NCCFTO 2.02E-07 5.02E-08 CCFRDOR S2MFTO S1NOCFTC 5.08E-10 1.83E-12 S2MFTO COND1S/C COND1O/C 1.77E-06 4.39E-07 S1MFTO COND2S/C COND2O/C 4.25E-08 1.06E-08 K1FTDOR K2FTDOR K3FTPI 1.30E-11 1.78E-14 CCFRDOR COND1O/C COND2O/C 1.06E-10 3.84E-13 CCFRDOR S2MFTO COND1O/C 1.49E-09 5.39E-12 CCFRDOR S1MFTO COND2O/C 3.61E-11 1.30E-13 S1MFTO K3FTPI COND2S/C 1.43E-08 3.57E-09 CCFRDOR COND1O/C S2NOCFTC 1.49E-09 5.39E-12 CCFRDOR S1NOCFTC COND2O/C 3.61E-11 1.30E-13 S2MFTO K3FTPI COND1S/C 5.95E-07 1.48E-07 K3FTPI S1NCCFTO COND2S/C 1.43E-08 3.57E-09 K3FTPI COND1S/C S2NCCFTO 5.95E-07 1.48E-07 S2MFTO S1NCCFTO COND1O/C 6.02E-07 1.49E-07 S1MFTO COND2S/C S2NOCFTC 6.02E-07 1.49E-07 S1MFTO S2NCCFTO COND2O/C 6.02E-07 1.49E-07 S2MFTO COND1S/C S1NOCFTC 6.02E-07 1.49E-07 S1NCCFTO S2NCCFTO S1NOCFTC COND2O/C 1.02E-09 2.03E-10 S1NCCFTO S2NCCFTO COND1O/C S2NOCFTC 4.25E-08 8.40E-09 S1NCCFTO COND2S/C S1NOCFTC S2NOCFTC 1.02E-09 2.03E-10 COND1S/C S2NCCFTO S1NOCFTC S2NOCFTC 4.25E-08 8.40E-09 K1FTDOR K2FTDOR S2MFTO COND1O/C 1.37E-12 2.48E-15 K1FTDOR K2FTDOR S1MFTO COND2O/C 3.30E-14 6.00E-17 K1FTDOR K2FTDOR COND1O/C S2NOCFTC 1.37E-12 2.48E-15 K1FTDOR K2FTDOR S1NOCFTC COND2O/C 3.30E-14 6.00E-17 K1FTDOR K2FTDOR S1NOCFTC S2NOCFTC 4.65E-13 8.44E-16 COND1S/C COND2S/C S1NOCFTC S2NOCFTC 3.01E-09 5.98E-10 COND1S/C S2NCCFTO COND1O/C S2NOCFTC 1.25E-07 2.47E-08 COND1S/C S2NCCFTO S1NOCFTC COND2O/C 3.01E-09 5.98E-10 S1NCCFTO COND2S/C COND1O/C S2NOCFTC 3.01E-09 5.98E-10

C55

No. Events Frequency Probability 44 S1NCCFTO COND2S/C S1NOCFTC COND2O/C 7.23E-11 1.45E-11 45 S1NCCFTO S2NCCFTO COND1O/C COND2O/C 3.01E-09 5.98E-10 46 K1FTDOR K2FTDOR S1MFTO S2NOCFTC 4.65E-13 8.44E-16 47 K1FTDOR K2FTDOR S2MFTO S1NOCFTC 4.65E-13 8.44E-16 48 S1NCCFTO S2NCCFTO S1NOCFTC S2NOCFTC 1.45E-08 2.86E-09 49 K1FTDOR K2FTDOR COND1O/C COND2O/C 9.72E-14 1.77E-16 50 COND1S/C COND2S/C COND1O/C S2NOCFTC 8.84E-09 1.76E-09 51 COND1S/C COND2S/C S1NOCFTC COND2O/C 2.13E-10 4.25E-11 52 COND1S/C S2NCCFTO COND1O/C COND2O/C 8.84E-09 1.76E-09 53 S1NCCFTO COND2S/C COND1O/C COND2O/C 2.13E-10 4.25E-11 54 COND1S/C COND2S/C COND1O/C COND2O/C 6.25E-10 1.25E-10

C56

1 2 3 4 5 6 7 8 9 10 11 12 13 14



No. Events Frequency Probability CCFCSC 5.00E-05 2.50E-05 CCFRDOR 1.68E-05 4.60E-08 CCFSWM 1.70E-05 8.50E-06 CCFSFTO 1.70E-05 8.50E-06 S1MFTO S2MFTO 1.21E-04 3.98E-05 K1FTDOR K2FTDOR 1.55E-08 2.12E-11 S1NCCFTO S2MFTO 1.21E-04 3.98E-05 COND1S/C S2MFTO 3.56E-04 1.17E-04 S1MFTO S2NCCFTO 1.21E-04 3.98E-05 S1MFTO COND2S/C 8.50E-06 2.83E-06 S1NCCFTO S2NCCFTO 1.21E-04 3.98E-05 S1NCCFTO COND2S/C 8.50E-06 2.83E-06 COND1S/C S2NCCFTO 3.56E-04 1.17E-04 COND1S/C COND2S/C 2.50E-05 8.33E-06

C57

1 2 3 4 5 6 7 8 9 10 11 12 13 14



No. Events Frequency Probability CCFCSC 5.00E-05 2.50E-05 CCFRDOR 1.68E-05 4.60E-08 CCFSWM 1.70E-05 8.50E-06 CCFSFTO 1.70E-05 8.50E-06 S1MFTO S2MFTO 1.21E-04 3.98E-05 K2FTDOR K3FTDOR 1.55E-08 2.12E-11 S1NCCFTO S2MFTO 1.21E-04 3.98E-05 COND1S/C S2MFTO 3.56E-04 1.17E-04 S1MFTO S2NCCFTO 1.21E-04 3.98E-05 S1MFTO COND2S/C 8.50E-06 2.83E-06 S1NCCFTO S2NCCFTO 1.21E-04 3.98E-05 S1NCCFTO COND2S/C 8.50E-06 2.83E-06 COND1S/C S2NCCFTO 3.56E-04 1.17E-04 COND1S/C COND2S/C 2.50E-05 8.33E-06

C58

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43



No. Events Frequency Probability CCFSWMR 1.70E-05 4.66E-08 S1MFTOR K2FTDOR 1.57E-08 2.14E-11 S1MFTOR S2MFTOR 6.71E-07 9.19E-10 S1MFTOR S2NCCFTO 6.01E-05 1.64E-07 S2MFTOR S1NCCFTO 6.15E-05 1.68E-07 S2MFTOR K2FTDOR 6.63E-07 9.08E-10 CCFCOCR CCFCSC 1.26E-09 3.42E-12 S2NOFTCR K2FTDOR 6.63E-07 9.08E-10 CCFCOCR CCFSFTO 4.27E-10 1.16E-12 S1NOFTCR K2FTDOR 1.57E-08 2.14E-11 CCFSFTCR CCFCSC 4.27E-10 1.16E-12 K1FTPIR K2FTDOR 1.55E-08 2.12E-11 S1MFTOR CCFSFTO 1.45E-08 3.96E-11 S1MFTOR CCFCSC 4.27E-08 1.16E-10 S1MFTOR COND2S/C 4.27E-06 1.16E-08 S2MFTOR COND1S/C 1.81E-04 4.93E-07 S2MFTOR CCFSFTO 6.15E-07 1.68E-09 S2MFTOR CCFCSC 1.81E-06 4.93E-09 CCFSFTCR CCFSFTO 1.45E-10 3.96E-13 CON1O/CR CCFCSC 1.26E-07 3.42E-10 CON1O/CR CCFSFTO 4.27E-08 1.16E-10 CON2O/CR K2FTDOR 4.60E-08 6.31E-11 S2NOFTCR CCFSFTO 6.15E-07 1.68E-09 S2NOFTCR CCFCSC 1.81E-06 4.93E-09 CON2O/CR CCFCSC 1.26E-07 3.42E-10 CON2O/CR CCFSFTO 4.27E-08 1.16E-10 K1FTPIR CCFCSC 4.22E-08 1.15E-10 CON1O/CR K2FTDOR 4.60E-08 6.31E-11 S1NOFTCR CCFSFTO 1.45E-08 3.96E-11 S1NOFTCR CCFCSC 4.27E-08 1.16E-10 K1FTPIR CCFSFTO 1.44E-08 3.91E-11 CCFCOCR K2FTDOR 4.60E-10 6.31E-13 CCFSFTCR K2FTDOR 1.57E-10 2.14E-13 K1FTPIR S1NCCFTO COND2S/C 3.61E-09 1.30E-11 K1FTPIR COND1S/C S2NCCFTO 1.49E-07 5.39E-10 CCFCOCR S1NCCFTO S2NCCFTO 1.51E-09 5.46E-12 CCFSFTCR S1NCCFTO S2NCCFTO 5.14E-10 1.86E-12 S1NOFTCR S1NCCFTO COND2S/C 3.65E-09 1.32E-11 CON2O/CR COND1S/C S2NCCFTO 4.44E-07 1.61E-09 CON2O/CR S1NCCFTO COND2S/C 1.07E-08 3.88E-11 S2NOFTCR COND1S/C COND2S/C 4.55E-07 1.64E-09 S1NOFTCR COND1S/C S2NCCFTO 1.51E-07 5.46E-10 CON1O/CR S1NCCFTO S2NCCFTO 1.51E-07 5.46E-10

C59

No. Events Frequency Probability 44 CON1O/CR COND1S/C S2NCCFTO 4.44E-07 1.61E-09 45 CON1O/CR S1NCCFTO COND2S/C 1.07E-08 3.88E-11 46 S1NOFTCR COND1S/C COND2S/C 1.07E-08 3.88E-11 47 S2NOFTCR S1NCCFTO COND2S/C 1.55E-07 5.59E-10 48 S2NOFTCR COND1S/C S2NCCFTO 6.40E-06 2.31E-08 49 CCFSFTCR COND1S/C S2NCCFTO 1.51E-09 5.46E-12 50 CCFSFTCR S1NCCFTO COND2S/C 3.65E-11 1.32E-13 51 CCFCOCR COND1S/C S2NCCFTO 4.44E-09 1.61E-11 52 CCFCOCR S1NCCFTO COND2S/C 1.07E-10 3.88E-13 53 K1FTPIR COND1S/C COND2S/C 1.06E-08 3.84E-11 54 CON2O/CR S1NCCFTO S2NCCFTO 1.51E-07 5.46E-10 55 K1FTPIR S1NCCFTO S2NCCFTO 5.08E-08 1.83E-10 56 S1NOFTCR S1NCCFTO S2NCCFTO 5.14E-08 1.86E-10 57 S2NOFTCR S1NCCFTO S2NCCFTO 2.18E-06 7.86E-09 58 CON2O/CR COND1S/C COND2S/C 3.16E-08 1.14E-10 59 CON1O/CR COND1S/C COND2S/C 3.16E-08 1.14E-10 60 CCFSFTCR COND1S/C COND2S/C 1.07E-10 3.88E-13 61 CCFCOCR COND1S/C COND2S/C 3.16E-10 1.14E-12

C60

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43



No. Events Frequency Probability CCFSWMR 1.70E-05 4.66E-08 S1MFTOR CCFCSC 4.27E-08 1.16E-10 S1MFTOR CCFSFTO 1.45E-08 3.96E-11 S1MFTOR CCFRDOR 1.57E-10 2.14E-13 S1MFTOR S2NCCFTO 6.01E-05 1.64E-07 S1MFTOR S2MFTOR 6.71E-07 9.19E-10 CCFRDOR CCFCOCR 4.60E-12 6.31E-15 S2MFTOR CCFCSC 1.81E-06 4.93E-09 S2MFTOR CCFSFTO 6.15E-07 1.68E-09 S2MFTOR CCFRDOR 6.63E-09 9.08E-12 S2MFTOR S1NCCFTO 6.15E-05 1.68E-07 CCFRDOR CCFSFTCR 1.57E-12 2.14E-15 CCFCSC S2NOFTCR 1.81E-06 4.93E-09 CCFSFTO S2NOFTCR 6.15E-07 1.68E-09 CCFRDOR S2NOFTCR 6.63E-09 9.08E-12 CCFSFTO CCFCOCR 4.27E-10 1.16E-12 CCFSFTO CCFSFTCR 1.45E-10 3.96E-13 CCFCSC S1NOFTCR 4.27E-08 1.16E-10 CCFSFTO S1NOFTCR 1.45E-08 3.96E-11 CCFRDOR S1NOFTCR 1.57E-10 2.14E-13 CCFCSC CCFCOCR 1.26E-09 3.42E-12 CCFCSC CCFSFTCR 4.27E-10 1.16E-12 CCFCSC K1FTPIR 4.22E-08 1.15E-10 CCFSFTO K1FTPIR 1.44E-08 3.91E-11 CCFRDOR K1FTPIR 1.55E-10 2.12E-13 CCFRDOR CON1O/CR 4.60E-10 6.31E-13 CCFSFTO CON1O/CR 4.27E-08 1.16E-10 S1MFTOR COND2S/C 4.27E-06 1.16E-08 S2MFTOR COND1S/C 1.81E-04 4.93E-07 CCFCSC CON2O/CR 1.26E-07 3.42E-10 CCFSFTO CON2O/CR 4.27E-08 1.16E-10 CCFRDOR CON2O/CR 4.60E-10 6.31E-13 CCFCSC CON1O/CR 1.26E-07 3.42E-10 S2NOFTCR COND1S/C S2NCCFTO 6.40E-06 2.31E-08 S2NOFTCR S1NCCFTO COND2S/C 1.55E-07 5.59E-10 K2FTDOR K3FTDOR CON2O/CR 3.18E-13 2.90E-16 CON2O/CR S1NCCFTO S2NCCFTO 1.51E-07 5.46E-10 K2FTDOR K3FTDOR K1FTPIR 1.07E-13 9.75E-17 K1FTPIR S1NCCFTO S2NCCFTO 5.08E-08 1.83E-10 CON1O/CR S1NCCFTO S2NCCFTO 1.51E-07 5.46E-10 S1NOFTCR COND1S/C S2NCCFTO 1.51E-07 5.46E-10 S1NOFTCR S1NCCFTO COND2S/C 3.65E-09 1.32E-11 K2FTDOR K3FTDOR CON1O/CR 3.18E-13 2.90E-16

C61

No. Events Frequency Probability 44 K2FTDOR K3FTDOR S1NOFTCR 1.08E-13 9.87E-17 45 S1NOFTCR S1NCCFTO S2NCCFTO 5.14E-08 1.86E-10 46 K2FTDOR K3FTDOR S2NOFTCR 4.58E-12 4.18E-15 47 S2NOFTCR S1NCCFTO S2NCCFTO 2.18E-06 7.86E-09 48 S2MFTOR K2FTDOR K3FTDOR 4.58E-12 4.18E-15 49 S1MFTOR K2FTDOR K3FTDOR 1.08E-13 9.87E-17 50 CCFSFTCR S1NCCFTO S2NCCFTO 5.14E-10 1.86E-12 51 CCFCOCR S1NCCFTO S2NCCFTO 1.51E-09 5.46E-12 52 K1FTPIR COND1S/C S2NCCFTO 1.49E-07 5.39E-10 53 K1FTPIR S1NCCFTO COND2S/C 3.61E-09 1.30E-11 54 K2FTDOR K3FTDOR CCFSFTCR 1.08E-15 9.87E-19 55 K2FTDOR K3FTDOR CCFCOCR 3.18E-15 2.90E-18 56 CON2O/CR COND1S/C S2NCCFTO 4.44E-07 1.61E-09 57 CON2O/CR S1NCCFTO COND2S/C 1.07E-08 3.88E-11 58 S2NOFTCR COND1S/C COND2S/C 4.55E-07 1.64E-09 59 CON1O/CR COND1S/C S2NCCFTO 4.44E-07 1.61E-09 60 CON1O/CR S1NCCFTO COND2S/C 1.07E-08 3.88E-11 61 S1NOFTCR COND1S/C COND2S/C 1.07E-08 3.88E-11 62 CCFSFTCR COND1S/C S2NCCFTO 1.51E-09 5.46E-12 63 CCFSFTCR S1NCCFTO COND2S/C 3.65E-11 1.32E-13 64 CCFCOCR COND1S/C S2NCCFTO 4.44E-09 1.61E-11 65 CCFCOCR S1NCCFTO COND2S/C 1.07E-10 3.88E-13 66 K1FTPIR COND1S/C COND2S/C 1.06E-08 3.84E-11 67 CON2O/CR COND1S/C COND2S/C 3.16E-08 1.14E-10 68 CON1O/CR COND1S/C COND2S/C 3.16E-08 1.14E-10 69 CCFSFTCR COND1S/C COND2S/C 1.07E-10 3.88E-13 70 CCFCOCR COND1S/C COND2S/C 3.16E-10 1.14E-12

C62

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43


Version 5.27 Date(dd-mm-yy): 29-08-01 Time:15.55.12 Fault Tree File: G:\JOBS\WO\J\2614\LOGAN\WITH CCF\J2614_001_2LS_LOWCCF Top Event: CCT18 Freq: 2.61E-04 Prob: 7.10E-07

No. Events Frequency Probability CCFSWMR 1.70E-05 4.66E-08 S1MFTOR CCFCSCR 4.66E-10 6.38E-13 S1MFTOR CCFSFTOR 1.58E-10 2.17E-13 S1MFTOR CCFRDOR 1.57E-10 2.14E-13 S1MFTOR S2NCFTOR 6.71E-07 9.19E-10 S1MFTOR S2MFTOR 6.71E-07 9.19E-10 CCFRDOR CCFCOCR 4.60E-12 6.31E-15 S2MFTOR CCFCSCR 1.97E-08 2.70E-11 S2MFTOR CCFSFTOR 6.71E-09 9.19E-12 S2MFTOR CCFRDOR 6.63E-09 9.08E-12 S2MFTOR S1NCCFTO 6.15E-05 1.68E-07 CCFRDOR CCFSFTCR 1.57E-12 2.14E-15 CCFCSCR S2NOFTCR 1.97E-08 2.70E-11 CCFSFTOR S2NOFTCR 6.71E-09 9.19E-12 CCFRDOR S2NOFTCR 6.63E-09 9.08E-12 CCFSFTOR CCFCOCR 4.66E-12 6.38E-15 CCFSFTOR CCFSFTCR 1.58E-12 2.17E-15 CCFCSCR S1NOFTCR 4.66E-10 6.38E-13 CCFSFTOR S1NOFTCR 1.58E-10 2.17E-13 CCFRDOR S1NOFTCR 1.57E-10 2.14E-13 CCFCSCR CCFCOCR 1.37E-11 1.88E-14 CCFCSCR CCFSFTCR 4.66E-12 6.38E-15 CCFCSCR K1FTPIR 4.60E-10 6.31E-13 CCFSFTOR K1FTPIR 1.57E-10 2.14E-13 CCFRDOR K1FTPIR 1.55E-10 2.12E-13 CCFRDOR CON1O/CR 4.60E-10 6.31E-13 CCFSFTOR CON1O/CR 4.66E-10 6.38E-13 S1MFTOR CON2S/CR 4.66E-08 6.38E-11 S2MFTOR COND1S/C 1.81E-04 4.93E-07 CCFCSCR CON2O/CR 1.37E-09 1.88E-12 CCFSFTOR CON2O/CR 4.66E-10 6.38E-13 CCFRDOR CON2O/CR 4.60E-10 6.31E-13 CCFCSCR CON1O/CR 1.37E-09 1.88E-12 S2NOFTCR COND1S/C S2NCFTOR 7.12E-08 9.73E-11 S2NOFTCR S1NCCFTO CON2S/CR 1.68E-09 2.30E-12 K3FTDOR K4FTDOR CON2O/CR 3.18E-13 2.90E-16 CON2O/CR S1NCCFTO S2NCFTOR 1.68E-09 2.30E-12 K3FTDOR K4FTDOR K1FTPIR 1.07E-13 9.75E-17 K1FTPIR S1NCCFTO S2NCFTOR 5.65E-10 7.72E-13 CON1O/CR S1NCCFTO S2NCFTOR 1.68E-09 2.30E-12 S1NOFTCR COND1S/C S2NCFTOR 1.68E-09 2.30E-12 S1NOFTCR S1NCCFTO CON2S/CR 3.97E-11 5.42E-14 K3FTDOR K4FTDOR CON1O/CR 3.18E-13 2.90E-16

C63

No. Events Frequency Probability 44 K3FTDOR K4FTDOR S1NOFTCR 1.08E-13 9.87E-17 45 S1NOFTCR S1NCCFTO S2NCFTOR 5.72E-10 7.81E-13 46 K3FTDOR K4FTDOR S2NOFTCR 4.58E-12 4.18E-15 47 S2NOFTCR S1NCCFTO S2NCFTOR 2.42E-08 3.31E-11 48 S2MFTOR K3FTDOR K4FTDOR 4.58E-12 4.18E-15 49 S1MFTOR K3FTDOR K4FTDOR 1.08E-13 9.87E-17 50 CCFSFTCR S1NCCFTO S2NCFTOR 5.72E-12 7.81E-15 51 CCFCOCR S1NCCFTO S2NCFTOR 1.68E-11 2.30E-14 52 K1FTPIR COND1S/C S2NCFTOR 1.66E-09 2.27E-12 53 K1FTPIR S1NCCFTO CON2S/CR 3.92E-11 5.36E-14 54 K3FTDOR K4FTDOR CCFSFTCR 1.08E-15 9.87E-19 55 K3FTDOR K4FTDOR CCFCOCR 3.18E-15 2.90E-18 56 CON2O/CR COND1S/C S2NCFTOR 4.94E-09 6.76E-12 57 CON2O/CR S1NCCFTO CON2S/CR 1.17E-10 1.60E-13 58 S2NOFTCR COND1S/C CON2S/CR 4.94E-09 6.76E-12 59 CON1O/CR COND1S/C S2NCFTOR 4.94E-09 6.76E-12 60 CON1O/CR S1NCCFTO CON2S/CR 1.17E-10 1.60E-13 61 S1NOFTCR COND1S/C CON2S/CR 1.17E-10 1.60E-13 62 CCFSFTCR COND1S/C S2NCFTOR 1.68E-11 2.30E-14 63 CCFSFTCR S1NCCFTO CON2S/CR 3.97E-13 5.42E-16 64 CCFCOCR COND1S/C S2NCFTOR 4.95E-11 6.76E-14 65 CCFCOCR S1NCCFTO CON2S/CR 1.17E-12 1.60E-15 66 K1FTPIR COND1S/C CON2S/CR 1.15E-10 1.58E-13 67 CON2O/CR COND1S/C CON2S/CR 3.43E-10 4.69E-13 68 CON1O/CR COND1S/C CON2S/CR 3.43E-10 4.69E-13 69 CCFSFTCR COND1S/C CON2S/CR 1.17E-12 1.60E-15 70 CCFCOCR COND1S/C CON2S/CR 3.43E-12 4.69E-15

C64

APP

EN

DIX

D:

FAIL

UR

E M

OD

ES

OF

EL

EC

TR

ICA

L /

ELE

CT

RO

NIC

CO

MPO

NE

NT

S FO

R L

OW

CO

MPL

EX

ITY

E/E

/PE

S A

ND

CO

NSE

RV

AT

IVE

VA

LU

ES

OF

FAIL

UR

E R

AT

E

D1

Com

pone

nt

Tot

al F

ailu

re

Rat

e (p

er 1

06 hou

rs)

Failu

re M

ode

Failu

re M

ode

Rat

io %

Sw

itch

with

pos

itive

ope

ning

on

dem

and

e.g.

pus

h bu

tton,

em

erge

ncy

stop

dev

ice,

pos

ition

switc

hes,

cam

ope

rate

d, se

lect

or sw

itche

s. 1

Con

tact

s will

not

ope

n*

20

Con

tact

s will

not

clo

se

80

Elec

trom

echa

nica

l pos

ition

switc

h, li

mit

switc

h, m

anua

lly

oper

ated

switc

h et

c. (n

ot p

ositi

vely

ope

ning

on

dem

and)

30

C

onta

cts w

ill n

ot o

pen

50

Con

tact

s will

not

clo

se

50

Rel

ay

0.4

All

cont

acts

rem

ain

in th

e en

ergi

sed

posi

tion

whe

n th

e co

il is

de-

ener

gise

d 25

All

cont

acts

rem

ain

in th

e de

-ene

rgis

ed

posi

tion

whe

n th

e co

il is

ene

rgis

ed

25

Con

tact

s will

not

ope

n 10

C

onta

cts w

ill n

ot c

lose

10

Si

mul

tane

ous s

hort

circ

uit b

etw

een

thre

eco

ntac

ts o

f a c

hang

e-ov

er c

onta

ct*

10

Sim

ulta

neou

s clo

sing

of n

orm

ally

ope

n an

d no

rmal

ly c

lose

d co

ntac

ts*

10

Shor

t circ

uit b

etw

een

two

pairs

of c

onta

cts

and/

or b

etw

een

cont

acts

and

coi

l ter

min

al*

10

Circ

uit B

reak

er, D

iffer

entia

l Circ

uit B

reak

er, R

esid

ual

Cur

rent

Dev

ice

12

All

cont

acts

rem

ain

in th

e en

ergi

sed

posi

tion

whe

n th

e co

il is

de-

ener

gise

d 25

All

cont

acts

rem

ain

in th

e de

-ene

rgis

ed

posi

tion

whe

n th

e co

il is

ene

rgis

ed

25

Con

tact

s will

not

ope

n 10

C

onta

cts w

ill n

ot c

lose

10

Si

mul

tane

ous s

hort

circ

uit b

etw

een

thre

e 10

Com

pone

nt

Tot

al F

ailu

re

Rat

e (p

er 1

06 hou

rs)

Failu

re M

ode

Failu

re M

ode

Rat

io %

co

ntac

ts o

f a c

hang

e-ov

er c

onta

ct*

Sim

ulta

neou

s clo

sing

of n

orm

ally

ope

n an

d no

rmal

ly c

lose

d co

ntac

ts*

10

Shor

t circ

uit b

etw

een

two

pairs

of c

onta

cts

and/

or b

etw

een

cont

acts

and

coi

l ter

min

al*

10

Con

tact

or

1.2

All

cont

acts

rem

ain

in th

e en

ergi

sed

posi

tion

whe

n th

e co

il is

de-

ener

gise

d 25

All

cont

acts

rem

ain

in th

e de

-ene

rgis

ed

posi

tion

whe

n th

e co

il is

ene

rgis

ed

25

Con

tact

s will

not

ope

n 10

C

onta

cts w

ill n

ot c

lose

10

Si

mul

tane

ous s

hort

circ

uit b

etw

een

thre

eco

ntac

ts o

f a c

hang

e-ov

er c

onta

ct*

10

Sim

ulta

neou

s clo

sing

of n

orm

ally

ope

n an

d no

rmal

ly c

lose

d co

ntac

ts*

10

Shor

t circ

uit b

etw

een

two

pairs

of c

onta

cts

and/

or b

etw

een

cont

acts

and

coi

l ter

min

al*

10

Fuse

0.

02

Fails

to b

low

(sho

rt ci

rcui

t) 10

O

pen

Circ

uit

90

Prox

imity

switc

h 10

Pe

rman

ently

low

resi

stan

ce a

t out

put

25

Perm

anen

tly h

igh

resi

stan

ce a

t out

put

25

Inte

rrup

tion

in p

ower

supp

ly

30

No

oper

atio

n of

switc

h du

e to

mec

hani

cal

failu

re*

10

Sim

ulta

neou

s sho

rt ci

rcui

t bet

wee

n th

ree

term

inal

s of c

hang

eove

r con

tact

s*.

10

Tem

pera

ture

switc

h 25

C

onta

cts w

ill n

ot c

lose

30

C

onta

cts w

ill n

ot o

pen*

10

Sh

ort c

ircui

ts b

etw

een

adja

cent

con

tact

s*

10

Sim

ulta

neou

s sho

rt ci

rcui

t bet

wee

n th

ree

term

inal

s of c

hang

e-ov

er c

onta

cts*

10

D2

Com

pone

nt

Tot

al F

ailu

re

Rat

e (p

er 1

06 hou

rs)

Failu

re M

ode

Failu

re M

ode

Rat

io %

Fa

ulty

sens

or

20

Cha

nge

of th

e de

tect

ion

or o

utpu

t ch

arac

teris

tic

20

Pres

sure

switc

h 11

0 C

onta

cts w

ill n

ot c

lose

30

C

onta

cts w

ill n

ot o

pen*

10

Sh

ort c

ircui

ts b

etw

een

adja

cent

con

tact

s*

10

Sim

ulta

neou

s sho

rt ci

rcui

t bet

wee

n th

ree

term

inal

s of c

hang

e-ov

er c

onta

cts*

10

Faul

ty se

nsor

20

C

hang

e of

the

dete

ctio

n or

out

put

char

acte

ristic

20

Sole

noid

val

ve

3 D

oes n

ot e

nerg

ise

3.4

Doe

s not

de-

ener

gise

17

.3

Cha

nge

of sw

itchi

ng ti

mes

* 3.

4 N

on-s

witc

hing

(stic

king

in th

e en

d or

zer

o po

sitio

n) o

r inc

ompl

ete

switc

hing

(stic

king

in

a ra

ndom

inte

rmed

iate

pos

ition

)*Sp

onta

neou

s cha

nge

of th

e in

itial

sw

itchi

ng p

ositi

on (w

ithou

t an

inpu

t si

gnal

)*

Le

akag

e*

65.6

C

hang

e in

the

leak

age

flow

rate

ove

r a

long

per

iod

of ti

me

Bur

stin

g of

the

valv

e ho

usin

g or

bre

akag

e of

the

mov

ing

com

pone

nt(s

) as w

ell a

s br

eaka

ge /

frac

ture

of t

he m

ount

ing

or

hous

ing

scre

ws*

Fo

r ser

vo a

nd p

ropo

rtion

al v

alve

s:

pneu

mat

ic /

hydr

aulic

faul

ts w

hich

cau

se

unco

ntro

lled

beha

viou

r.Tr

ansf

orm

er

2 O

pen

circ

uit o

f ind

ivid

ual w

indi

ng

70

D3

Com

pone

nt

Tot

al F

ailu

re

Rat

e (p

er 1

06 hou

rs)

Failu

re M

ode

Failu

re M

ode

Rat

io %

Sh

ort c

ircui

t bet

wee

n di

ffer

ent w

indi

ngs*

10

Sh

ort c

ircui

t in

one

win

ding

* 10

C

hang

e in

eff

ectiv

e tu

rns r

atio

* 10

Indu

ctan

ces

0.00

1 O

pen

circ

uit

80

Shor

t circ

uit*

10

R

ando

m c

hang

e of

val

ue.

10

Res

isto

rs

0.2

Ope

n ci

rcui

t 80

Sh

ort c

ircui

t*

10

Ran

dom

cha

nge

of v

alue

. 10

R

esis

tor N

etw

orks

0.

1 O

pen

circ

uit

70

Shor

t circ

uit

10

Shor

t circ

uit b

etw

een

any

conn

ectio

ns.

10

Ran

dom

cha

nge

of v

alue

. 10

Po

tent

iom

eter

s 0.

2 O

pen

circ

uit o

f ind

ivid

ual c

onne

ctio

n 70

Sh

ort c

ircui

t bet

wee

n al

l con

nect

ions

10

Sh

ort c

ircui

t bet

wee

n an

y tw

o co

nnec

tions

. 10

R

ando

m c

hang

e of

val

ue.

10

Cap

acito

rs

0.3

Ope

n ci

rcui

t 40

Sh

ort c

ircui

t 40

R

ando

m c

hang

e of

val

ue.

10

Cha

ngin

g va

lue

tan a

10

D

iscr

ete

sem

icon

duct

ors

0.06

O

pen

circ

uit o

f any

con

nect

ion

25

Shor

t circ

uit b

etw

een

any

two

conn

ectio

ns

25

Shor

t circ

uit b

etw

een

all c

onne

ctio

ns

25

Cha

nge

in c

hara

cter

istic

s 25

N

on-p

rogr

amm

able

inte

grat

ed c

ircui

ts (n

on-c

ompl

ex i.

e.

less

than

100

0 ga

tes a

nd/o

r les

s tha

n 24

pins

, ope

ratio

nal

ampl

ifier

s, sh

ift re

gist

ers,

and

hybr

id m

odul

es)

0.3

Ope

n ci

rcui

t of a

ny c

onne

ctio

n 20

Shor

t circ

uit b

etw

een

any

two

conn

ectio

ns

20

“Stu

ck a

t” fa

ults

20

D4

D5

Com

pone

nt

Tot

al F

ailu

re

Rat

e (p

er 1

06 hou

rs)

Failu

re M

ode

Failu

re M

ode

Rat

io %

Pa

rasi

tic o

scill

atio

n of

out

puts

20

C

hang

ing

valu

es (e

.g. i

nput

/out

put v

olta

ge

of a

nalo

gue

devi

ce)

20

Opt

o-co

uple

rs

0.6

Ope

n ci

rcui

t of i

ndiv

idua

l con

nect

ion

30

Shor

t circ

uit b

etw

een

any

two

inpu

t co

nnec

tions

30

Shor

t circ

uit b

etw

een

any

two

outp

ut

conn

ectio

ns

30

Shor

t circ

uit b

etw

een

any

two

conn

ectio

ns

of in

put a

nd o

utpu

t*

10

Plug

and

sock

et, m

ulti-

pin

conn

ecto

r 0.

4 pe

r act

ive

cont

act

Shor

t circ

uit b

etw

een

any

two

adja

cent

pi

ns*

10

Shor

t circ

uit o

f any

con

duct

or to

an

expo

sed

cond

uctiv

e pa

rt.

10

Ope

n ci

rcui

t of i

ndiv

idua

l con

nect

or p

ins

80

Term

inal

blo

ck

0.12

per

act

ive

cont

act

Shor

t circ

uit b

etw

een

adja

cent

term

inal

s*

10

Ope

n ci

rcui

t of i

ndiv

idua

l ter

min

als

90

Not

es.

1)

Failu

re m

odes

indi

cate

d by

an

aste

risk

may

be

omitt

ed fr

om th

e fa

ilure

rate

cal

cula

tion

if th

e co

nditi

ons o

f Tab

le D

.5 o

f prE

N95

4-2

are

met

. If

all p

oten

tially

dan

gero

us fa

ilure

mod

es o

f a c

ompo

nent

are

exc

lude

d on

thes

e gr

ound

s, th

e co

mpo

nent

nee

d no

t be

take

n in

to a

ccou

nt.

2)

Elec

trica

l fai

lure

mod

es ta

ken

from

Tab

les D

.5 o

f prE

N95

4-2.

Mec

hani

cal f

ailu

re m

odes

(whe

re a

pplic

able

) are

take

n fr

om A

nnex

es A

, B a

nd

C o

f prE

N95

4-2.

Printed and published by the Health and Safety ExecutiveC30 1/98

Printed and published by the Health and Safety Executive C1.25 10/02

ISBN 0-7176-2576-1

RR 029

780717625765£20.00 9

research report 029 › research › rrpdf › rr029.pdf · research report 029. hse health &...

Documents